Jump to content

Browser redirected after Windows XP Repair Spyware


Recommended Posts

I am trying to fix a problem with Internet Explorer Ver 8.

Computer was infected with Windows Xp Repair Spyware and after running Sys Restore and

several antyspyware program I was able to clean computer from spyware but I have not been

able to clean the redirect. I have run Microsoft Security Esential, Microsoft Safety Scanner,

Browser Hijack, Super AntiSpyware. I ran Hijackthis but I am not sure about which file I should

remove. Attached is Hijack log file, can anyone help me?

I ran OTL and dowloaded "This File" GMER and attached are

files: OTL.txt, extras,txt and Resutls.log

Extras.Txt

OTL.Txt

Results.log

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

I am trying to fix a problem with Internet Explorer Ver 8.

Computer was infected with Windows Xp Repair Spyware and after running Sys Restore and

several antyspyware program I was able to clean computer from spyware but I have not been

able to clean the redirect. I have run Microsoft Security Esential, Microsoft Safety Scanner,

Browser Hijack, Super AntiSpyware. I ran Hijackthis but I am not sure about which file I should

remove. Attached is Hijack log file, can anyone help me?

Below are the logs from the programs. Thank you.

I ran OTL and dowloaded "This File" GMER and attached are

files: OTL.txt, extras,txt and Resutls.log

OTL logfile created on: 7/29/2011 2:01:49 PM - Run 2

OTL by OldTimer - Version 3.2.26.1 Folder = C:\t

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.96 Gb Total Physical Memory | 1.28 Gb Available Physical Memory | 65.61% Memory free

3.80 Gb Paging File | 3.21 Gb Available in Paging File | 84.40% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 139.03 Gb Total Space | 116.94 Gb Free Space | 84.11% Space Free | Partition Type: NTFS

Drive D: | 10.00 Gb Total Space | 1.99 Gb Free Space | 19.85% Space Free | Partition Type: NTFS

Computer Name: HP7800-05 | User Name: administrator | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\t\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec AntiVirus\SmcGui.exe (Symantec Corporation)

PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)

PRC - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International)

PRC - C:\Program Files\Intel\AMT\UNS.exe (Intel)

PRC - C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation)

PRC - C:\Program Files\Intel\AMT\atchk.exe (Intel Corporation)

PRC - C:\Program Files\Intel\AMT\LMS.exe (Intel)

PRC - C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe (Infineon Technologies AG)

PRC - C:\WINDOWS\system32\IfxPsdSv.exe (Infineon Technologies AG)

PRC - C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe (Cognizance Corporation)

PRC - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe (Hewlett-Packard Development Company, L.P.)

PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)

PRC - C:\WINDOWS\SMINST\Scheduler.exe ()

========== Modules (SafeList) ==========

MOD - C:\t\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\APSHook.dll (Bioscrypt Inc.)

========== Win32 Services (SafeList) ==========

SRV - (0028191220450047mcinstcleanup) McAfee Application Installer Cleanup (0028191220450047) -- File not found

SRV - (ccSetMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (ccEvtMgr) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)

SRV - (SmcService) -- C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)

SRV - (SNAC) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE (Symantec Corporation)

SRV - (Symantec AntiVirus) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)

SRV - (LiveUpdate) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)

SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (pdfcDispatcher) -- C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)

SRV - (HpFkCryptService) -- C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International)

SRV - (UNS) Intel® -- C:\Program Files\Intel\AMT\UNS.exe (Intel)

SRV - (atchksrv) Intel® -- C:\Program Files\Intel\AMT\atchksrv.exe (Intel Corporation)

SRV - (LMS) Intel® -- C:\Program Files\Intel\AMT\LMS.exe (Intel)

SRV - (PersonalSecureDriveService) -- C:\WINDOWS\system32\IfxPsdSv.exe (Infineon Technologies AG)

SRV - (ASBroker) -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)

SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)

SRV - (ASChannel) -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll (Cognizance Corporation)

========== Driver Services (SafeList) ==========

DRV - (MpKsl3d7183a7) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FF87AB05-2C6E-4885-80D5-9D63EF5A9A9E}\MpKsl3d7183a7.sys (Microsoft Corporation)

DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)

DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)

DRV - (NAVEX15) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110728.051\NAVEX15.SYS (Symantec Corporation)

DRV - (NAVENG) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110728.051\NAVENG.SYS (Symantec Corporation)

DRV - (WpsHelper) -- C:\WINDOWS\system32\drivers\wpshelper.sys (Symantec Corporation)

DRV - (WPS) -- C:\WINDOWS\system32\drivers\WPSDRVnt.sys (Symantec Corporation)

DRV - (SRTSPL) -- C:\WINDOWS\system32\drivers\srtspl.sys (Symantec Corporation)

DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\srtsp.sys (Symantec Corporation)

DRV - (SRTSPX) -- C:\WINDOWS\system32\drivers\srtspx.sys (Symantec Corporation)

DRV - (SysPlant) -- C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys (Symantec Corporation)

DRV - (Teefer2) -- C:\WINDOWS\system32\drivers\Teefer2.sys (Symantec Corporation)

DRV - (SPBBCDrv) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)

DRV - (SYMTDI) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS (Symantec Corporation)

DRV - (SYMREDRV) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)

DRV - (COH_Mon) -- C:\WINDOWS\system32\drivers\COH_Mon.sys (Symantec Corporation)

DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)

DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)

DRV - (IFXTPM) -- C:\WINDOWS\system32\drivers\ifxtpm.sys (Infineon Technologies AG)

DRV - (SbFsLock) -- C:\WINDOWS\System32\drivers\SbFsLock.sys (SafeBoot International)

DRV - (RsvLock) -- C:\WINDOWS\System32\drivers\rsvlock.sys (SafeBoot International)

DRV - (SafeBoot) -- C:\WINDOWS\System32\drivers\SafeBoot.sys ()

DRV - (HECI) Intel® -- C:\WINDOWS\system32\drivers\HECI.sys (Intel Corporation)

DRV - (PersonalSecureDrive) -- C:\WINDOWS\System32\drivers\psd.sys (Infineon Technologies AG)

DRV - (SbAlg) -- C:\WINDOWS\System32\drivers\SbAlg.sys (SafeBoot N.V.)

DRV - (VirtDisk) -- c:\WINDOWS\SMINST\virtdisk.sys (XSS)

DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)

DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)

DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)

DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)

DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)

DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)

DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)

DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)

DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)

DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)

DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)

DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)

DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)

DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)

DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)

DRV - (Symmpi) -- C:\WINDOWS\system32\DRIVERS\symmpi.sys (LSI Logic)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.google.com"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/09 09:46:34 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.5.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/30 09:50:30 | 000,000,000 | ---D | M]

FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{1650a312-02bc-40ee-977e-83f158701739}: C:\Program Files\SiteAdvisor\6173\FF\

[2011/07/09 09:46:44 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.OFFICE\Application Data\Mozilla\Extensions

[2011/07/12 15:57:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.OFFICE\Application Data\Mozilla\Firefox\Profiles\2hqaunms.default\extensions

[2011/07/09 09:48:29 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator.OFFICE\Application Data\Mozilla\Firefox\Profiles\2hqaunms.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2009/09/15 12:16:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2011/07/12 09:30:28 | 000,000,698 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

O2 - BHO: (Credential Manager for HP ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll (Bioscrypt Inc.)

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O4 - HKLM..\Run: [atchk] C:\Program Files\Intel\AMT\atchk.exe (Intel Corporation)

O4 - HKLM..\Run: [bHR] File not found

O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\Hewlett-Packard\IAM\Bin\ASTSVCC.dll (Cognizance Corporation)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe (PDF Complete Inc)

O4 - HKLM..\Run: [PTHOSTTR] c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()

O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()

O4 - HKLM..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()

O4 - HKLM..\Run: [setRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)

O4 - HKCU..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)

O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll (Google Inc.)

O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab (Office Genuine Advantage Validation Tool)

O16 - DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} http://boeprod1.uapps.net/businessobjects/enterprise115/desktoplaunch/viewers/crystalreportviewers115/ActiveXControls/PrintControl.cab (Crystal Reports Print Control 11.5)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? (MiniBugTransporterX Class)

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220467483054 (WUWebControl Class)

O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} http://boefarm1.uapps.net/businessobjects/viewers/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab (Crystal ActiveX Report Viewer Control 11.5)

O16 - DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} http://204.71.142.69/CrystalReports/crystalreportviewers/ActiveXControls/PrintControl.cab (Crystal Reports Print Control 12.0)

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab (Verizon Wireless Media Upload)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP27-10832/event/ieatgpc.cab (GpcContainer Class)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npes.org

O20 - AppInit_DLLs: (APSHook.dll) - C:\WINDOWS\System32\APSHook.dll (Bioscrypt Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)

O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2004/04/30 21:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/29 13:59:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OFFICE\My Documents\My Videos

[2011/07/29 13:59:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OFFICE\Start Menu\Programs\Administrative Tools

[2011/07/12 15:12:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OFFICE\Start Menu\Programs\HiJackThis

[2011/07/12 15:12:55 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2011/07/11 16:17:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy

[2011/07/11 16:17:42 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2011/07/11 16:17:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2011/07/10 01:38:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth

[2011/07/09 21:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2011/07/09 21:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OFFICE\Application Data\SUPERAntiSpyware.com

[2011/07/09 21:18:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware

[2011/07/09 21:18:21 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2011/07/09 09:48:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OFFICE\My Documents\Downloads

[2011/07/09 09:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OFFICE\Local Settings\Application Data\Mozilla

[2011/07/09 09:46:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OFFICE\Application Data\Mozilla

[2011/07/09 06:22:27 | 000,244,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSFLXGRD.OCX

[2011/07/09 06:22:27 | 000,203,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\richtx32.ocx

[2011/07/09 06:22:27 | 000,132,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSINET.OCX

[2011/07/07 08:27:24 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.OFFICE\IECompatCache

[2011/07/05 16:39:17 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe

[2011/07/05 16:34:23 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client

[2011/06/29 16:44:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware

[2011/06/29 16:44:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/29 13:55:20 | 000,002,477 | ---- | M] () -- C:\Documents and Settings\Administrator.OFFICE\Desktop\HiJackThis.lnk

[2011/07/29 13:54:13 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2011/07/29 13:54:08 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2011/07/29 13:43:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2011/07/29 10:09:50 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/07/29 10:04:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2011/07/29 10:03:58 | 2099,560,448 | -HS- | M] () -- C:\hiberfil.sys

[2011/07/13 14:38:08 | 000,274,968 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2011/07/13 09:01:35 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2011/07/11 16:33:08 | 000,002,976 | ---- | M] () -- C:\WINDOWS\wininit.ini

[2011/07/11 16:18:53 | 000,000,981 | ---- | M] () -- C:\Documents and Settings\Administrator.OFFICE\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2011/07/11 16:18:53 | 000,000,963 | ---- | M] () -- C:\Documents and Settings\Administrator.OFFICE\Desktop\Spybot - Search & Destroy.lnk

[2011/07/09 21:18:24 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2011/07/09 09:46:22 | 000,001,614 | ---- | M] () -- C:\Documents and Settings\Administrator.OFFICE\Desktop\Mozilla Firefox.lnk

[2011/07/09 06:28:51 | 000,002,243 | ---- | M] () -- C:\WINDOWS\epplauncher.mif

[2011/06/29 16:44:24 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/25 11:05:14 | 2099,560,448 | -HS- | C] () -- C:\hiberfil.sys

[2011/07/12 15:12:56 | 000,002,477 | ---- | C] () -- C:\Documents and Settings\Administrator.OFFICE\Desktop\HiJackThis.lnk

[2011/07/11 16:17:45 | 000,000,981 | ---- | C] () -- C:\Documents and Settings\Administrator.OFFICE\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2011/07/11 16:17:45 | 000,000,963 | ---- | C] () -- C:\Documents and Settings\Administrator.OFFICE\Desktop\Spybot - Search & Destroy.lnk

[2011/07/09 21:18:24 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2011/07/09 09:46:22 | 000,001,614 | ---- | C] () -- C:\Documents and Settings\Administrator.OFFICE\Desktop\Mozilla Firefox.lnk

[2011/07/05 16:39:50 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job

[2011/07/05 16:34:59 | 000,002,243 | ---- | C] () -- C:\WINDOWS\epplauncher.mif

[2011/07/05 16:34:40 | 000,001,680 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk

[2011/06/29 16:44:24 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2011/06/28 11:45:55 | 000,000,248 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~18603812

[2011/06/28 11:45:55 | 000,000,176 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~18603812r

[2011/06/28 11:45:42 | 000,000,344 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\18603812

[2009/09/15 12:16:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat

[2009/02/21 08:25:20 | 000,691,592 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL

[2009/01/06 14:43:29 | 000,000,608 | ---- | C] () -- C:\WINDOWS\{9C564F6E-729F-4C69-9CD9-F476EFDAC442}.ini

[2008/12/04 18:45:47 | 000,000,285 | ---- | C] () -- C:\WINDOWS\FRX.INI

[2008/09/09 15:09:31 | 000,002,976 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2008/09/05 11:25:08 | 000,001,600 | ---- | C] () -- C:\WINDOWS\hplj1320.ini

[2008/09/05 11:24:25 | 000,000,385 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini

[2008/09/05 11:24:20 | 000,001,099 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini

[2008/09/05 11:24:09 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL

[2008/09/05 11:24:08 | 000,000,319 | R--- | C] () -- C:\WINDOWS\System32\HPB1320V.DAT

[2008/09/03 17:53:18 | 000,048,640 | ---- | C] () -- C:\WINDOWS\quoter.exe

[2008/09/03 17:31:00 | 000,000,473 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2008/08/13 18:49:01 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2008/08/13 18:11:31 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2008/08/13 18:11:31 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2008/08/13 18:11:31 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2008/08/13 18:11:31 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2008/08/13 18:11:31 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2008/08/13 18:11:31 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2008/08/13 17:56:30 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll

[2008/05/22 15:59:50 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\it.exe

[2007/06/13 20:53:28 | 000,101,167 | ---- | C] () -- C:\WINDOWS\System32\drivers\SafeBoot.sys

[2006/04/25 14:05:14 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat

[2006/04/25 13:43:54 | 000,506,052 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat

[2006/04/25 13:43:54 | 000,089,390 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat

[2006/04/25 13:39:48 | 000,274,968 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2006/04/25 13:31:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2006/04/25 13:27:12 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

[2006/02/27 22:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat

[2006/02/27 22:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat

[2006/02/27 22:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat

[2006/02/27 22:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin

[2006/02/27 22:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat

[2006/02/27 22:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat

[2006/02/27 22:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

[2006/02/27 22:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

[2004/06/12 04:16:00 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\imsys.dll

[2002/05/28 03:55:42 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin

[2002/05/28 03:54:40 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

[2002/05/08 06:12:22 | 000,000,801 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2001/07/31 06:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

[1998/05/06 22:10:00 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\ODMA32.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 60 bytes -> C:\Personify Upgrate:AFP_AfpInfo

@Alternate Data Stream - 60 bytes -> C:\NPES:AFP_AfpInfo

< End of report >

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit quick scan 2011-07-29 13:58:53

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 ST3160815AS rev.3.CHH

Running: 5vmxtvkj.exe; Driver: C:\DOCUME~1\ADMINI~1.OFF\LOCALS~1\Temp\fxlyrpow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 89D75E7A

Thread System [4:128] 89D78008

---- EOF - GMER 1.0.15 ----

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by administrator at 13:59:01 on 2011-07-29

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1333 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\System32\svchost.exe -k Cognizance

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec AntiVirus\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\system32\ifxspmgt.exe

C:\WINDOWS\system32\ifxtcs.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\IfxPsdSv.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [iFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule

mRun: [Recguard] c:\windows\sminst\Recguard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [scheduler] c:\windows\sminst\Scheduler.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [bHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} - hxxp://boeprod1.uapps.net/businessobjects/enterprise115/desktoplaunch/viewers/crystalreportviewers115/ActiveXControls/PrintControl.cab

DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - hxxp://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220467483054

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://boefarm1.uapps.net/businessobjects/viewers/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} - hxxp://204.71.142.69/CrystalReports/crystalreportviewers/ActiveXControls/PrintControl.cab

DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP27-10832/event/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll

AppInit_DLLs: APSHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = SbHpNp scecli ASWLNPkg

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator.office\application data\mozilla\firefox\profiles\2hqaunms.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-6-13 101167]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl3d7183a7;MpKsl3d7183a7;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ff87ab05-2c6e-4885-80d5-9d63ef5a9a9e}\MpKsl3d7183a7.sys [2011-7-29 28752]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-4-18 39080]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-6-13 5808]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]

R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-28 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-28 108392]

R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-7-9 221184]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-8-13 576024]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2011-6-28 1831024]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-8-13 2521880]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110728.051\NAVENG.SYS [2011-7-29 86008]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110728.051\NAVEX15.SYS [2011-7-29 1542392]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S1 MpKsl6ba915fc;MpKsl6ba915fc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17c260a-18fb-4793-bc87-d11a5afe884c}\mpksl6ba915fc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17c260a-18fb-4793-bc87-d11a5afe884c}\MpKsl6ba915fc.sys [?]

S2 0028191220450047mcinstcleanup;McAfee Application Installer Cleanup (0028191220450047);c:\docume~1\admini~1\locals~1\temp\002819~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\002819~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-6-28 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\virtdisk.sys [2008-8-13 57344]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-07-29 14:15:54 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ff87ab05-2c6e-4885-80d5-9d63ef5a9a9e}\MpKsl3d7183a7.sys

2011-07-29 14:15:35 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ff87ab05-2c6e-4885-80d5-9d63ef5a9a9e}\mpengine.dll

2011-07-12 19:12:56 388096 ----a-r- c:\documents and settings\administrator.office\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-12 19:12:55 -------- d-----w- c:\program files\Trend Micro

2011-07-11 20:17:42 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-11 20:17:42 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-07-11 20:13:00 6600616 ----a-w- c:\temp\spybotsd_includes.exe

2011-07-11 20:12:59 16409960 ----a-w- c:\temp\spybotsd162.exe

2011-07-10 01:18:31 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-07-10 01:18:31 -------- d-----w- c:\documents and settings\administrator.office\application data\SUPERAntiSpyware.com

2011-07-10 01:18:21 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-07-09 13:46:30 -------- d-----w- c:\documents and settings\administrator.office\local settings\application data\Mozilla

2011-07-09 10:22:27 3584 ----a-w- c:\program files\common files\microsoft shared\dao\comcat.dll

2011-07-09 10:22:27 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX

2011-07-09 10:22:27 203976 ----a-w- c:\windows\system32\richtx32.ocx

2011-07-09 10:22:27 1338880 ----a-w- c:\program files\common files\microsoft shared\dao\shdocvw.dll

2011-07-09 10:22:27 132880 ----a-w- c:\windows\system32\MSINET.OCX

2011-07-07 12:27:24 -------- d-sh--w- c:\documents and settings\administrator.office\IECompatCache

2011-07-06 21:15:26 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2011-07-05 20:39:17 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-07-05 20:34:23 -------- d-----w- c:\program files\Microsoft Security Client

2011-06-30 13:50:20 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2011-06-30 13:50:17 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

2011-06-29 20:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

.

==================== Find3M ====================

.

2011-06-28 19:36:41 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

============= FINISH: 14:00:09.09 ===============

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (Microsoft and Symantec). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi,

I notice that you are using more than one antivirus program (Microsoft and Symantec). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Below is combofix log:

ComboFix 11-08-03.03 - administrator 08/03/2011 17:13:27.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1407 [GMT -4:00]

Running from: c:\documents and settings\Administrator.OFFICE\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\docume~1\ADMINI~1.OFF\LOCALS~1\Temp\SAS249.tmp

c:\documents and settings\Administrator.OFFICE\Local Settings\Temp\SAS249.tmp

c:\windows\system32\it.EXE

D:\Autorun.inf

.

.

((((((((((((((((((((((((( Files Created from 2011-07-03 to 2011-08-03 )))))))))))))))))))))))))))))))

.

.

2011-08-03 21:19 . 2011-08-03 21:19 118784 ----a-w- c:\windows\system32\chg.exe

2011-08-03 20:53 . 2011-08-03 20:53 -------- d--h--w- c:\windows\system32\GroupPolicy

2011-07-14 03:24 . 2011-07-14 03:28 -------- d-----w- c:\documents and settings\EBSi

2011-07-13 19:40 . 2011-07-13 19:40 -------- d-----w- c:\documents and settings\jromero.OFFICE

2011-07-12 19:23 . 2011-07-12 19:23 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2011-07-12 19:12 . 2011-07-12 19:12 -------- d-----w- c:\program files\Trend Micro

2011-07-11 20:17 . 2011-08-03 20:52 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-07-11 20:17 . 2011-08-03 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-07-10 05:38 . 2011-07-10 05:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2011-07-10 01:18 . 2011-07-10 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-07-09 13:46 . 2011-07-09 13:46 -------- d-----w- c:\documents and settings\Administrator.OFFICE\Local Settings\Application Data\Mozilla

2011-07-09 10:22 . 2004-03-09 17:00 132880 ----a-w- c:\windows\system32\MSINET.OCX

2011-07-09 10:22 . 2001-10-04 18:13 3584 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\comcat.dll

2011-07-09 10:22 . 2001-10-04 17:16 1338880 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\shdocvw.dll

2011-07-09 10:22 . 2000-05-22 21:00 203976 ----a-w- c:\windows\system32\richtx32.ocx

2011-07-09 10:22 . 1998-06-24 17:00 244024 ----a-w- c:\windows\system32\MSFLXGRD.OCX

2011-07-07 12:27 . 2011-07-07 12:27 -------- d-sh--w- c:\documents and settings\Administrator.OFFICE\IECompatCache

2011-07-05 20:39 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-28 19:36 . 2011-06-28 19:30 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-06-28 19:28 . 2011-06-28 19:28 353608 ----a-w- c:\windows\system32\sysfer.dll

2011-06-28 19:28 . 2011-06-28 19:28 89600 ----a-w- c:\windows\system32\atl71.dll

2011-06-28 19:28 . 2011-06-28 19:28 87368 ----a-w- c:\windows\system32\FwsVpn.dll

2011-06-28 19:28 . 2011-06-28 19:28 625032 ----a-w- c:\windows\system32\SymNeti.dll

2011-06-28 19:28 . 2011-06-28 19:28 43336 ----a-w- c:\windows\system32\drivers\WPSDRVnt.sys

2011-06-28 19:28 . 2011-06-28 19:28 242056 ----a-w- c:\windows\system32\SymRedir.dll

2011-06-28 19:28 . 2011-06-28 19:28 107848 ----a-w- c:\windows\system32\SymVPN.dll

2011-06-28 19:28 . 2011-06-28 19:28 43696 ----a-w- c:\windows\system32\drivers\srtspx.sys

2011-06-28 19:28 . 2011-06-28 19:28 320944 ----a-w- c:\windows\system32\drivers\srtspl.sys

2011-06-28 19:28 . 2011-06-28 19:28 283184 ----a-w- c:\windows\system32\drivers\srtsp.sys

2011-06-28 19:28 . 2011-06-28 19:28 97096 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2011-06-28 19:28 . 2011-06-28 19:28 67472 ----a-w- c:\windows\system32\drivers\Teefer2.sys

2011-06-28 19:28 . 2011-06-28 19:28 39856 ----a-w- c:\windows\system32\drivers\symids.sys

2011-06-28 19:28 . 2011-06-28 19:28 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys

2011-06-28 19:28 . 2011-06-28 19:28 35120 ----a-w- c:\windows\system32\drivers\symndis.sys

2011-06-28 19:28 . 2011-06-28 19:28 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys

2011-06-28 19:28 . 2011-06-28 19:28 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys

2011-06-28 19:28 . 2011-06-28 19:28 145968 ----a-w- c:\windows\system32\drivers\symfw.sys

2011-06-28 19:28 . 2011-06-28 19:28 12720 ----a-w- c:\windows\system32\drivers\symdns.sys

2011-06-28 19:28 . 2011-06-28 19:28 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys

2011-06-28 19:28 . 2011-06-28 19:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2011-06-28 19:28 . 2011-06-28 19:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-06-02 14:02 . 2006-02-28 02:00 1858944 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-09 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-07 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-07 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1015808]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-07 408344]

"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]

"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-06-28 115560]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

PhoneManager.lnk - c:\program files\Avaya\IP Office\Phone Manager\PhoneManager.exe [2008-7-16 9129984]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\APSHook.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\NPES\\Personify.exe"=

"c:\\Documents and Settings\\CErb\\Application Data\\TMA Resources Inc\\Personify\\NPES\\7.3.1\\TIMSS.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [6/13/2007 8:53 PM 101167]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 4:31 PM 44720]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [6/14/2007 7:22 PM 13184]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/18/2007 10:32 PM 39080]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [6/13/2007 8:53 PM 5808]

R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 10:00 PM 14336]

R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 10:00 PM 14336]

R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [7/9/2007 8:03 PM 221184]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [8/13/2008 6:30 PM 576024]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [8/13/2008 6:10 PM 2521880]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/28/2011 12:36 PM 105592]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 5:46 AM 44800]

S1 MpKsl6ba915fc;MpKsl6ba915fc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D17C260A-18FB-4793-BC87-D11A5AFE884C}\MpKsl6ba915fc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D17C260A-18FB-4793-BC87-D11A5AFE884C}\MpKsl6ba915fc.sys [?]

S2 0028191220450047mcinstcleanup;McAfee Application Installer Cleanup (0028191220450047);c:\docume~1\ADMINI~1\LOCALS~1\Temp\002819~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\002819~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 9:59 AM 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/28/2011 3:28 PM 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 9:59 AM 135664]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\SMINST\virtdisk.sys [8/13/2008 6:41 PM 57344]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Cognizance REG_MULTI_SZ ASBroker ASChannel

.

Contents of the 'Scheduled Tasks' folder

.

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 13:59]

.

2011-08-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 13:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} - hxxp://boeprod1.uapps.net/businessobjects/enterprise115/desktoplaunch/viewers/crystalreportviewers115/ActiveXControls/PrintControl.cab

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://boefarm1.uapps.net/businessobjects/viewers/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} - hxxp://204.71.142.69/CrystalReports/crystalreportviewers/ActiveXControls/PrintControl.cab

DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

FF - ProfilePath - c:\documents and settings\Administrator.OFFICE\Application Data\Mozilla\Firefox\Profiles\2hqaunms.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

HKLM-Run-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe

Notify-NavLogon - (no file)

SafeBoot-Symantec Antvirus

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-03 17:20

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2119379497-1915432768-1073948036-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,74,fe,da,ee,86,0a,40,a4,84,97,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,74,fe,da,ee,86,0a,40,a4,84,97,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d8,00,90,e8,2d,59,2e,40,8d,67,96,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d8,00,90,e8,2d,59,2e,40,8d,67,96,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(976)

c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll

.

- - - - - - - > 'explorer.exe'(3036)

c:\windows\system32\WININET.dll

c:\windows\system32\APSHook.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Symantec AntiVirus\Smc.exe

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\windows\system32\ifxtcs.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Hewlett-Packard\IAM\bin\asghost.exe

c:\windows\system32\IfxPsdSv.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Symantec AntiVirus\SmcGui.exe

c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe

.

**************************************************************************

.

Completion time: 2011-08-03 17:22:56 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-03 21:22

.

Pre-Run: 125,981,147,136 bytes free

Post-Run: 126,262,505,472 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - E2C3839270F503D9DFC14DE593D41302

Link to post
Share on other sites

Yes, sorry, I thought my last update posted and it did not.

I ran MBAM and scan with VirusTotal the file c:\windows\system32\chg.exe

The result was: 0 VT Community user(s) with a total of 0

reputation credit(s) say(s) this sample is goodware. 0 VT

Community user(s) with a total of 0 reputation credit(s)

say(s) this sample is malware.

File name: chg.exe

Submission date: 2011-08-03 05:59:12 (UTC)

Current status: finished

Result: 0 /43 (0.0%)

The log from MBAM is below:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7415

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/9/2011 2:57:26 PM

mbam-log-2011-08-09 (14-57-26).txt

Scan type: Full scan (C:\|)

Objects scanned: 331025

Time elapsed: 1 hour(s), 46 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

chg.zip

Link to post
Share on other sites

Hi,

Grab a fresh copy of ComboFix, run it, and post its log.

Also post a fresh DDS log.

Below is DDS log and attached is ComboFix:

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Administrator at 13:40:17 on 2011-08-16

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2002.1253 [GMT -4:00]

.

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Endpoint Protection *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\System32\svchost.exe -k Cognizance

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec AntiVirus\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\system32\ifxspmgt.exe

C:\WINDOWS\system32\ifxtcs.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\system32\IfxPsdSv.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\Program Files\Symantec AntiVirus\SmcGui.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [atchk] "c:\program files\intel\amt\atchk.exe"

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [iFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon

mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe

mRun: [setRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe

mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule

mRun: [Recguard] c:\windows\sminst\Recguard.exe

mRun: [Reminder] c:\windows\creator\Remind_XP.exe

mRun: [scheduler] c:\windows\sminst\Scheduler.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/E/3/9/E39C664F-A8E3-4F69-A109-1AE9849204EE/OGAControl.cab

DPF: {19529B56-E206-4F0B-B44E-97B5F4861E6A} - hxxp://boeprod1.uapps.net/businessobjects/enterprise115/desktoplaunch/viewers/crystalreportviewers115/ActiveXControls/PrintControl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220467483054

DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} - hxxp://boefarm1.uapps.net/businessobjects/viewers/crystalreportviewers115/ActiveXControls/ActiveXViewer.cab

DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} - hxxp://204.71.142.69/CrystalReports/crystalreportviewers/ActiveXControls/PrintControl.cab

DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP27-10832/event/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 172.16.1.21 172.16.1.3

TCP: Interfaces\{D6024C00-6FAE-4521-BF23-9CF3C7FADF47} : DhcpNameServer = 172.16.1.21 172.16.1.3

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll

AppInit_DLLs: c:\windows\system32\APSHook.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\administrator.office\application data\mozilla\firefox\profiles\2hqaunms.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2007-6-13 101167]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2006-10-9 44720]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2007-6-14 13184]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-4-18 39080]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2007-6-13 5808]

R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]

R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-28 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-6-28 108392]

R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2007-7-9 221184]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-8-13 576024]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2011-6-28 1831024]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-8-13 2521880]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-28 105592]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110815.034\NAVENG.SYS [2011-8-16 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110815.034\NAVEX15.SYS [2011-8-16 1576312]

S1 MpKsl6ba915fc;MpKsl6ba915fc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17c260a-18fb-4793-bc87-d11a5afe884c}\mpksl6ba915fc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d17c260a-18fb-4793-bc87-d11a5afe884c}\MpKsl6ba915fc.sys [?]

S2 0028191220450047mcinstcleanup;McAfee Application Installer Cleanup (0028191220450047);c:\docume~1\admini~1\locals~1\temp\002819~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\002819~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-6-28 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 VirtDisk;XSS Virtual Disk Driver;c:\windows\sminst\virtdisk.sys [2008-8-13 57344]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-08-10 12:59:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-10 12:57:26 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-08 20:08:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-08 20:08:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-03 21:12:19 -------- d-sha-r- C:\cmdcons

2011-08-03 21:09:33 98816 ----a-w- c:\windows\sed.exe

2011-08-03 21:09:33 518144 ----a-w- c:\windows\SWREG.exe

2011-08-03 21:09:33 256000 ----a-w- c:\windows\PEV.exe

2011-08-03 21:09:33 208896 ----a-w- c:\windows\MBR.exe

2011-08-03 20:53:10 -------- d--h--w- c:\windows\system32\GroupPolicy

.

==================== Find3M ====================

.

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-28 19:36:41 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 13:40:41.56 ===============

ComboFix-8162011.txt

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.