Jump to content

Browser Redirect & No Sound via IE8


dnss

Recommended Posts

See MBAM log below:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7260

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/24/2011 8:45:46 AM

mbam-log-2011-07-24 (08-45-46).txt

Scan type: Full scan (C:\|)

Objects scanned: 291110

Time elapsed: 2 hour(s), 53 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{539abe19-dd5c-4d3a-8691-3eb2c5000278}\RP1163\A0143085.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\system volume information\_restore{539abe19-dd5c-4d3a-8691-3eb2c5000278}\RP1163\A0143086.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

The malware was deleted but lost desktop, programs in Startup Menu, and use of Task Manager. But regained these using unhide.exe . Now am being redirected using IE8 version 8.0.6001.18702IS and have no sound from the internet. Please advise. Thanks. P.S. New to this so hope to get back in to this topic for possible solutions.

Link to post
Share on other sites

Hello and :welcome:

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Thanks Elise. Following is the info you requested (DDS.txt file):

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Dennis at 18:15:18 on 2011-08-16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.88 [GMT -4:00]

.

AV: CA Anti-Virus *Enabled/Updated* {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FW: CA Personal Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\ActivIdentity\ActivClient\accoca.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe

C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe

C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ActivIdentity\ActivClient\acsagent.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Money\System\urlmap.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uWindow Title = Microsoft Internet Explorer provided by EZN

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet

uRun: [RealPlayer] "c:\program files\real\realplayer\realplay.exe" /RunUPGToolCommandReBoot

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

uRun: [Google Update] "c:\documents and settings\dennis\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [szuniq] rundll32.exe "c:\windows\api320.dll",Startup

uRun: [euPaPAmYLiM] c:\documents and settings\all users\application data\euPaPAmYLiM.exe

mRun: [PCTVOICE] pctspk.exe

mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Trend Micro AntiVirus 2007] c:\program files\trend micro\antivirus 2007\tavui.exe -1 --delay 15

mRun: [<NO NAME>]

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"

mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"

mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"

mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl

mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe

mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe

mRun: [Dromaqesaciwiqul] rundll32.exe "c:\windows\ufihugew.dll",Startup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\activc~1.lnk - c:\program files\actividentity\activclient\acsagent.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

LSP: c:\windows\system32\VetRedir.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162648997162

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: Interfaces\{30E41968-CC60-4F4C-A04A-C7AB7D42F8CB} : DhcpNameServer = 172.30.15.240 172.30.41.240 172.30.51.240

Notify: ackpbsc - c:\windows\system32\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

Notify: PFW - UmxWnp.Dll

.

============= SERVICES / DRIVERS ===============

.

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-6-24 93712]

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]

R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]

R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 115216]

R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-8-10 26352]

R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-8-10 21104]

R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2010-6-5 746216]

R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-8-10 21488]

R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-8-10 32240]

R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]

R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-8-10 144960]

R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]

R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]

R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]

R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]

R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]

R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]

R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704]

R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2010-6-5 130280]

S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-5 1174152]

S2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-8-10 238928]

S3 cxbu0wdm;SmartTerminal XX44;c:\windows\system32\drivers\cxbu0wdm.sys [2008-7-15 91008]

S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [2000-4-25 35694]

.

=============== Created Last 30 ================

.

2011-08-14 14:24:46 -------- d-----w- c:\documents and settings\dennis\local settings\application data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}

2011-07-30 18:07:19 684297 ----a-w- c:\windows\unhide.exe

.

==================== Find3M ====================

.

2011-08-16 21:10:29 0 ----a-w- c:\windows\Kcixupagidimeqag.bin

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

.

============= FINISH: 18:22:26.14 ===============

I also have the Attach.txt file. If you want it and need it zipped let me know how. Have at it.

Link to post
Share on other sites

Please post also attach.txt, no need to zip it, you can just post it like you did DDS.txt :)

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

For your reading pleasure:

DDS Attach text:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-23.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 12/7/2001 8:28:53 PM

System Uptime: 8/16/2011 5:57:22 PM (1 hours ago)

.

Motherboard: Gigabyte Technology Co., Ltd. | | 761-686B

Processor: AMD Athlon XP 1500+ | Slot A | 1333/133mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 37 GiB total, 23.708 GiB free.

D: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1130: 5/17/2011 12:06:52 PM - System Checkpoint

RP1131: 5/20/2011 12:25:50 PM - System Checkpoint

RP1132: 5/21/2011 6:08:09 PM - System Checkpoint

RP1133: 5/23/2011 6:01:31 PM - System Checkpoint

RP1134: 5/26/2011 12:03:16 PM - System Checkpoint

RP1135: 5/27/2011 1:50:20 PM - System Checkpoint

RP1136: 5/29/2011 12:46:13 PM - System Checkpoint

RP1137: 5/30/2011 6:59:31 PM - System Checkpoint

RP1138: 5/31/2011 8:20:40 PM - System Checkpoint

RP1139: 6/2/2011 11:50:38 AM - System Checkpoint

RP1140: 6/3/2011 12:21:24 PM - System Checkpoint

RP1141: 6/4/2011 1:53:32 PM - System Checkpoint

RP1142: 6/5/2011 5:22:42 PM - System Checkpoint

RP1143: 6/7/2011 12:31:17 PM - System Checkpoint

RP1144: 6/9/2011 11:37:05 AM - System Checkpoint

RP1145: 6/11/2011 6:56:36 AM - System Checkpoint

RP1146: 6/13/2011 11:34:31 AM - System Checkpoint

RP1147: 6/17/2011 9:37:52 AM - Software Distribution Service 3.0

RP1148: 6/21/2011 10:53:45 AM - System Checkpoint

RP1149: 6/23/2011 1:26:23 PM - System Checkpoint

RP1150: 6/25/2011 6:56:40 AM - System Checkpoint

RP1151: 6/28/2011 1:11:03 PM - System Checkpoint

RP1152: 6/30/2011 1:13:58 PM - System Checkpoint

RP1153: 7/1/2011 1:25:02 PM - System Checkpoint

RP1154: 7/2/2011 7:24:09 PM - System Checkpoint

RP1155: 7/4/2011 4:27:57 PM - System Checkpoint

RP1156: 7/5/2011 5:41:27 PM - System Checkpoint

RP1157: 7/7/2011 11:39:07 AM - System Checkpoint

RP1158: 7/9/2011 7:05:05 AM - System Checkpoint

RP1159: 7/10/2011 1:54:40 PM - System Checkpoint

RP1160: 7/13/2011 1:07:15 PM - System Checkpoint

RP1161: 7/16/2011 6:29:51 AM - System Checkpoint

RP1162: 7/18/2011 1:57:40 PM - System Checkpoint

RP1163: 7/20/2011 2:05:11 PM - System Checkpoint

RP1164: 7/24/2011 6:16:20 AM - System Checkpoint

RP1165: 7/25/2011 1:45:56 PM - System Checkpoint

RP1166: 7/26/2011 2:51:13 PM - System Checkpoint

RP1167: 7/29/2011 7:22:36 PM - System Checkpoint

RP1168: 8/2/2011 11:23:07 AM - System Checkpoint

RP1169: 8/3/2011 11:40:48 AM - System Checkpoint

RP1170: 8/6/2011 6:30:12 AM - System Checkpoint

RP1171: 8/12/2011 9:22:24 AM - System Checkpoint

RP1172: 8/13/2011 9:30:22 AM - System Checkpoint

.

==== Installed Programs ======================

.

ActivClient 6.1 HomeUse for Air Force

Adobe Flash Player ActiveX

Adobe Reader 8.1.4

Archimedes (for Windows PCs) by Skyscape

Archimedes (PocketPC and Smartphone) v #PRODNAME# by Skyscape

Aztech MSP5950-U Modem Drivers

CA Anti-Spam

CA Anti-Spyware

CA Anti-Virus

CA Internet Security Suite

CA Personal Firewall

Drug Guide For Nurses

DrugGuide (for Windows PCs) by Skyscape

DrugGuide (PocketPC and Smartphone) v #PRODNAME# by Skyscape

getPlus®_ocx

Google Chrome

Google Toolbar for Internet Explorer

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

hp deskjet 940c series

hp deskjet 940c series (Remove only)

ICD-9-CM (for Windows PCs) by Skyscape

ICD-9-CM (PocketPC and Smartphone) v 9.0.10 by Skyscape

LOTR The Return of the King Demo

Malwarebytes' Anti-Malware version 1.51.1.1800

Microsoft ActiveSync 4.0

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2002

Microsoft Money 2002 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Media Content

Microsoft Office XP Standard

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works 2000

Microsoft Works 2000 Setup Launcher

Mosby's DrugPro

MSXML 4.0 SP2 (KB973688)

Netscape Communicator 4.76

NVIDIA Windows 2000/XP Display Drivers

RealOne Player

RnConstl (for Windows PCs) by Skyscape

RnConstl (PocketPC and Smartphone) v 2.2.7 by Skyscape

RnConstlb (for Windows PCs) by Skyscape

RnConstlb (PocketPC and Smartphone) v 2.2.7 by Skyscape

RNLabs4 (for Windows PCs) by Skyscape

RNLabs4 (PocketPC and Smartphone) v 7.0.24 by Skyscape

RNotes2 (for Windows PCs) by Skyscape

RNotes2 (PocketPC and Smartphone) v 9.0.5 by Skyscape

Security Update for CAPICOM (KB931906)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB969897)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB972260)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Shockwave

smARTupdate

Symantec KB-DocID:2003093015493306

TWC Customer Controls

Update for Windows Internet Explorer 8 (KB971180)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows XP Service Pack 3

WinZip

.

==== Event Viewer Messages From Past Week ========

.

8/9/2011 10:13:44 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service CaCCProvSP with arguments "" in order to run the server: {AACF4A1C-BC69-4359-9518-DF3F77E462BF}

8/13/2011 9:41:54 AM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.

8/13/2011 2:46:07 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service PPCtlPriv with arguments "" in order to run the server: {F974178A-A284-440A-BEFC-5B0D11BCDB68}

.

==== End Of File ===========================

TDSSKiller:

2011/08/18 18:16:06.0214 1668 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13

2011/08/18 18:16:06.0484 1668 ================================================================================

2011/08/18 18:16:06.0484 1668 SystemInfo:

2011/08/18 18:16:06.0484 1668

2011/08/18 18:16:06.0484 1668 OS Version: 5.1.2600 ServicePack: 3.0

2011/08/18 18:16:06.0484 1668 Product type: Workstation

2011/08/18 18:16:06.0484 1668 ComputerName: CANDACE-BETHANY

2011/08/18 18:16:06.0484 1668 UserName: Dennis

2011/08/18 18:16:06.0484 1668 Windows directory: C:\WINDOWS

2011/08/18 18:16:06.0484 1668 System windows directory: C:\WINDOWS

2011/08/18 18:16:06.0484 1668 Processor architecture: Intel x86

2011/08/18 18:16:06.0484 1668 Number of processors: 1

2011/08/18 18:16:06.0484 1668 Page size: 0x1000

2011/08/18 18:16:06.0484 1668 Boot type: Normal boot

2011/08/18 18:16:06.0484 1668 ================================================================================

2011/08/18 18:16:08.0217 1668 Initialize success

2011/08/18 18:16:14.0195 3944 ================================================================================

2011/08/18 18:16:14.0195 3944 Scan started

2011/08/18 18:16:14.0195 3944 Mode: Manual;

2011/08/18 18:16:14.0195 3944 ================================================================================

2011/08/18 18:16:16.0649 3944 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/08/18 18:16:16.0739 3944 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/08/18 18:16:16.0889 3944 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/08/18 18:16:16.0999 3944 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/08/18 18:16:17.0350 3944 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/08/18 18:16:17.0440 3944 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

2011/08/18 18:16:17.0630 3944 AN983 (116bff96077a4a724e0aab800525ceb5) C:\WINDOWS\system32\DRIVERS\AN983.sys

2011/08/18 18:16:17.0961 3944 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/08/18 18:16:18.0081 3944 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/08/18 18:16:18.0261 3944 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/08/18 18:16:18.0391 3944 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/08/18 18:16:18.0512 3944 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/08/18 18:16:18.0682 3944 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/08/18 18:16:18.0862 3944 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/08/18 18:16:18.0942 3944 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/08/18 18:16:19.0032 3944 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/08/18 18:16:19.0433 3944 cxbu0wdm (00639944660fa8993d2621f6a3a5b4c8) C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys

2011/08/18 18:16:19.0683 3944 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/08/18 18:16:19.0813 3944 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/08/18 18:16:20.0114 3944 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/08/18 18:16:20.0214 3944 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/08/18 18:16:20.0324 3944 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/08/18 18:16:20.0544 3944 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/08/18 18:16:20.0705 3944 eeCtrl (08035db1987412cced1d4201263776ed) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/08/18 18:16:20.0915 3944 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/08/18 18:16:21.0025 3944 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/08/18 18:16:21.0135 3944 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/08/18 18:16:21.0235 3944 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/08/18 18:16:21.0336 3944 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/08/18 18:16:21.0426 3944 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/08/18 18:16:21.0506 3944 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/08/18 18:16:21.0606 3944 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2011/08/18 18:16:21.0676 3944 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/08/18 18:16:21.0997 3944 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/08/18 18:16:22.0297 3944 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/08/18 18:16:22.0397 3944 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/08/18 18:16:22.0657 3944 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/08/18 18:16:22.0768 3944 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/08/18 18:16:22.0868 3944 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/08/18 18:16:22.0968 3944 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/08/18 18:16:23.0058 3944 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/08/18 18:16:23.0128 3944 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/08/18 18:16:23.0258 3944 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/08/18 18:16:23.0389 3944 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/08/18 18:16:23.0529 3944 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/08/18 18:16:23.0629 3944 KmxAgent (f4ffca2de8290de6118583bf74962243) C:\WINDOWS\system32\DRIVERS\kmxagent.sys

2011/08/18 18:16:23.0749 3944 KmxCF (9cb6ae1a28c0a5b70afc208f068bc24f) C:\WINDOWS\system32\DRIVERS\KmxCF.sys

2011/08/18 18:16:23.0879 3944 KmxCfg (df0de1110162e761a7f60c392ad177dd) C:\WINDOWS\system32\DRIVERS\kmxcfg.sys

2011/08/18 18:16:24.0019 3944 KmxFile (28c7643d33ed066622e93260f818adfd) C:\WINDOWS\system32\DRIVERS\KmxFile.sys

2011/08/18 18:16:24.0080 3944 KmxFw (6db409366cb3325a67a01308ce23ae1a) C:\WINDOWS\system32\DRIVERS\kmxfw.sys

2011/08/18 18:16:24.0170 3944 KmxSbx (2df089f8594ae18d5c1a1bfbdd967eab) C:\WINDOWS\system32\DRIVERS\KmxSbx.sys

2011/08/18 18:16:24.0290 3944 KmxStart (f68a8118c1e26967533cc06206154784) C:\WINDOWS\system32\DRIVERS\kmxstart.sys

2011/08/18 18:16:24.0390 3944 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/08/18 18:16:24.0640 3944 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/08/18 18:16:24.0761 3944 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/08/18 18:16:24.0841 3944 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/08/18 18:16:24.0991 3944 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/08/18 18:16:25.0171 3944 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/08/18 18:16:25.0301 3944 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/08/18 18:16:25.0462 3944 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/08/18 18:16:25.0552 3944 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/08/18 18:16:25.0652 3944 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/08/18 18:16:25.0772 3944 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/08/18 18:16:25.0912 3944 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/08/18 18:16:26.0022 3944 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/08/18 18:16:26.0132 3944 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/08/18 18:16:26.0243 3944 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/08/18 18:16:26.0343 3944 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/08/18 18:16:26.0443 3944 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/08/18 18:16:26.0553 3944 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/08/18 18:16:26.0643 3944 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/08/18 18:16:26.0743 3944 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/08/18 18:16:26.0884 3944 NetMate (354633b0c35e086e04df0fec03434e3d) C:\WINDOWS\system32\DRIVERS\netmate2.sys

2011/08/18 18:16:27.0014 3944 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/08/18 18:16:27.0134 3944 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/08/18 18:16:27.0274 3944 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/08/18 18:16:27.0424 3944 nv4 (b32f50549919c7106b983a504fc55917) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2011/08/18 18:16:27.0615 3944 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/08/18 18:16:27.0715 3944 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/08/18 18:16:27.0835 3944 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/08/18 18:16:27.0935 3944 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/08/18 18:16:28.0035 3944 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/08/18 18:16:28.0125 3944 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/08/18 18:16:28.0356 3944 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/08/18 18:16:28.0886 3944 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/08/18 18:16:28.0987 3944 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/08/18 18:16:29.0097 3944 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/08/18 18:16:29.0207 3944 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/08/18 18:16:29.0317 3944 Ptserial (836a0e507d62ee9eec3fe5064d2ce5b0) C:\WINDOWS\system32\DRIVERS\ptserial.sys

2011/08/18 18:16:29.0758 3944 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/08/18 18:16:29.0908 3944 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/08/18 18:16:30.0048 3944 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/08/18 18:16:30.0188 3944 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/08/18 18:16:30.0329 3944 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/08/18 18:16:30.0409 3944 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/08/18 18:16:30.0529 3944 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/08/18 18:16:30.0669 3944 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/08/18 18:16:30.0989 3944 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/08/18 18:16:31.0140 3944 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/08/18 18:16:31.0240 3944 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/08/18 18:16:31.0340 3944 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/08/18 18:16:31.0600 3944 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/08/18 18:16:31.0741 3944 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/08/18 18:16:31.0861 3944 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/08/18 18:16:32.0061 3944 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/08/18 18:16:32.0171 3944 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/08/18 18:16:32.0462 3944 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2011/08/18 18:16:32.0682 3944 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/08/18 18:16:32.0822 3944 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/08/18 18:16:32.0962 3944 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/08/18 18:16:33.0072 3944 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/08/18 18:16:33.0153 3944 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/08/18 18:16:33.0373 3944 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/08/18 18:16:33.0663 3944 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/08/18 18:16:33.0814 3944 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/08/18 18:16:33.0924 3944 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/08/18 18:16:34.0024 3944 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/08/18 18:16:34.0134 3944 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/08/18 18:16:34.0234 3944 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys

2011/08/18 18:16:34.0334 3944 VET-FILT (daadb622164e93376b31598c053a9e87) C:\WINDOWS\system32\drivers\VET-FILT.sys

2011/08/18 18:16:34.0424 3944 VET-REC (66747d67066e29b24363d5537b93d294) C:\WINDOWS\system32\drivers\VET-REC.sys

2011/08/18 18:16:34.0545 3944 VETEBOOT (c079f80582c31728029f3efcdfeaf221) C:\WINDOWS\system32\drivers\VETEBOOT.sys

2011/08/18 18:16:34.0675 3944 VETEFILE (31bab965e7af8295c22f641401d622b3) C:\WINDOWS\system32\drivers\VETEFILE.sys

2011/08/18 18:16:34.0805 3944 VETFDDNT (10545ed2f206c922eb02e522b1a3fa75) C:\WINDOWS\system32\drivers\VETFDDNT.sys

2011/08/18 18:16:34.0905 3944 VETMONNT (77ef6a724334313b808fb6fe36b57be6) C:\WINDOWS\system32\drivers\VETMONNT.sys

2011/08/18 18:16:35.0015 3944 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/08/18 18:16:35.0145 3944 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/08/18 18:16:35.0256 3944 VIAudio (819bf44085104be6527b86a88acf856b) C:\WINDOWS\system32\drivers\ac97via.sys

2011/08/18 18:16:35.0356 3944 Vmodem (4648bc0554a0c7b951847bcf2ee84cc4) C:\WINDOWS\system32\DRIVERS\vmodem.sys

2011/08/18 18:16:35.0456 3944 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/08/18 18:16:35.0586 3944 Vpctcom (2cda2aea422bc3dc7e5e318b32f3df98) C:\WINDOWS\system32\DRIVERS\vpctcom.sys

2011/08/18 18:16:35.0746 3944 Vvoice (bc6fc336c5fd00c7f706119cf75082c3) C:\WINDOWS\system32\DRIVERS\vvoice.sys

2011/08/18 18:16:35.0876 3944 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/08/18 18:16:36.0067 3944 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/08/18 18:16:36.0327 3944 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/08/18 18:16:36.0447 3944 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0

2011/08/18 18:16:36.0467 3944 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)

2011/08/18 18:16:36.0497 3944 Boot (0x1200) (199928f9076a968627e35a227a7abf41) \Device\Harddisk0\DR0\Partition0

2011/08/18 18:16:36.0517 3944 ================================================================================

2011/08/18 18:16:36.0517 3944 Scan finished

2011/08/18 18:16:36.0517 3944 ================================================================================

2011/08/18 18:16:36.0557 1444 Detected object count: 1

2011/08/18 18:16:36.0557 1444 Actual detected object count: 1

2011/08/18 18:17:02.0194 1444 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot

2011/08/18 18:17:02.0194 1444 \Device\Harddisk0\DR0 - ok

2011/08/18 18:17:02.0194 1444 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure

2011/08/18 18:17:14.0983 3264 Deinitialize success

What next?

dnss

Link to post
Share on other sites

Hi again,

Unfortunately you had a nasty rootkit on your computer. It is gone now, but please read the following information first.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Elise, Will a reformat and reinstall insure that the computer can be trusted as secure? If the computer is cleaned via your method, can software be installed that will alert if the machine is being accessed or used via the backdoor? What is done with donations? dnss

Link to post
Share on other sites

Will a reformat and reinstall insure that the computer can be trusted as secure
The answer is simple: yes (the backdoor exists in the windows structure, its a "hole" that remains even if the malware is gone).
If the computer is cleaned via your method, can software be installed that will alert if the machine is being accessed or used via the backdoor?
Adequate security (antivirus, antispyware protection) will alert you if a suspicious access is attempted. It depends also a bit what you use your computer for: if you use it for work related stuff, and you store sensitive data on it, I wouldn't take as much risk as when it is just a home computer you use for mail, internet access, facebook and so on. The chance of someone actually using the backdoor may not be high, tht doesn't mean it isn't there.
What is done with donations?
Donations are personal (at this site as well as at many others) and not related to MBAM.

I hope this answers your questions; if not, just let me know! :)

Link to post
Share on other sites

Elise; ComboFix was downloaded from Bleepingcomputer and the icon doubleclicked on. A window opened showing progress of files being loaded. Then a window popped up stating ComboFix could not continue with CA Antivirus running. It stated that to run, CA must be uninstalled. I clicked the OK button and disabled CA's firewall and Snoozed CA's AntiVirus. I doubleclicked on the ComboFix icon and after the window opened showing the loading progress the window pops up again with the same message stating that CA Antivirus must be unistalled for ComboFix to accomplish its procedures. Should I uninstall CA? Installing it was time consuming and cumbersome. Can I hide CA somehow so that ComboFix will not recognize it and run? As an aside, I noticed that a web site that I go to is not updating, even with CA's firewall disabled. When at the site and I right clicked on th CA shield to disable the firewall I right clicked on the shield again to enable it and the menu would not come up. I had to close IE8 to bring the menu up with a right click on the shield. dnss

Link to post
Share on other sites

Elise,

Here is the ComboFix log you requested:

ComboFix 11-08-30.02 - Dennis 08/30/2011 18:36:52.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.117 [GMT -4:00]

Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Dennis\Application Data\Microsoft\Internet Explorer\Quick Launch\System Repair.lnk

c:\documents and settings\Dennis\WINDOWS

c:\program files\messenger\msmsgsin.exe

c:\windows\api320.dll

c:\windows\ehome\snchk.exe

c:\windows\iun6002.exe

c:\windows\system32\_000013_.tmp.dll

c:\windows\ufihugew.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))))

.

.

2011-08-14 14:24 . 2011-08-14 14:24 -------- d-----w- c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-30 18:07 . 2011-07-30 18:07 684297 ----a-w- c:\windows\unhide.exe

2011-07-06 23:52 . 2010-11-03 12:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-26 1003520]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-21 171448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"PCTVOICE"="pctspk.exe" [2001-06-15 155648]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-7-10 130864]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-07-10 20:28 111616 ----a-w- c:\windows\system32\ackpbsc.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-07-10 20:28 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]

S3 cxbu0wdm;SmartTerminal XX44;c:\windows\system32\drivers\cxbu0wdm.sys [7/15/2008 3:20 PM 91008]

S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [4/25/2000 8:01 AM 35694]

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1698683601-1203367206-2587936551-1005Core.job

- c:\documents and settings\Dennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-03 12:59]

.

2011-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1698683601-1203367206-2587936551-1005UA.job

- c:\documents and settings\Dennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-03 12:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe

HKCU-Run-Szuniq - c:\windows\api320.dll

HKCU-Run-euPaPAmYLiM - c:\documents and settings\All Users\Application Data\euPaPAmYLiM.exe

HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe

HKLM-Run-Trend Micro AntiVirus 2007 - c:\program files\Trend Micro\AntiVirus 2007\tavui.exe

HKLM-Run-Dromaqesaciwiqul - c:\windows\ufihugew.dll

AddRemove-Drug Guide For Nurses - c:\windows\iun6002.exe

AddRemove-ICD-9-CMCe_9.0.10 - c:\windows\iun6002.exe

AddRemove-ICD-9-CM_pc - c:\windows\iun6002.exe

AddRemove-Mosby's DrugPro - c:\windows\iun6002.exe

AddRemove-RNLabs4Ce_7.0.24 - c:\windows\iun6002.exe

AddRemove-RNLabs4_pc - c:\windows\iun6002.exe

AddRemove-RNotes2Ce_9.0.5 - c:\windows\iun6002.exe

AddRemove-RNotes2_pc - c:\windows\iun6002.exe

AddRemove-smARTupdate - c:\windows\iun6002.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-30 18:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(488)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

c:\windows\System32\MSXML3.DLL

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

.

Completion time: 2011-08-30 18:58:26

ComboFix-quarantined-files.txt 2011-08-30 22:58

.

Pre-Run: 25,359,902,208 bytes free

Post-Run: 27,901,659,648 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - B2AECA84DBAC6F280243DD0D1B8645BF

How do things look? dnss

Link to post
Share on other sites

Hi again,

Please let me know how things are running after the following steps.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Folder::
c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Elise,

ComboFix 11-09-05.02 - Dennis 09/05/2011 9:39.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.130 [GMT -4:00]

Running from: c:\documents and settings\Dennis\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dennis\Desktop\CFScript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}

c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}\chrome.manifest

c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}\chrome\content\_cfg.js

c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}\chrome\content\overlay.xul

c:\documents and settings\Dennis\Local Settings\Application Data\{C2F6BB79-3AD0-4011-A991-8482EA7955CE}\install.rdf

.

.

((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))

.

.

2011-09-03 13:19 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-03 13:19 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-03 13:19 . 2011-09-03 13:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-03 12:28 . 2011-09-03 13:31 -------- d-----w- c:\documents and settings\Dennis\Application Data\Sammsoft

2011-09-03 10:12 . 2011-05-30 08:01 206160 ----a-w- c:\windows\system32\Isafprod.dll

2011-09-03 10:12 . 2011-05-30 08:01 95568 ----a-w- c:\windows\system32\Vetredir.dll

2011-09-03 10:12 . 2011-05-30 08:01 128336 ----a-w- c:\windows\system32\Isafeif.dll

2011-09-01 22:59 . 2011-09-01 22:59 -------- d-----w- c:\program files\Common Files\Scanner

2011-09-01 22:58 . 2011-09-05 13:23 -------- d-----w- c:\windows\rnapxs

2011-09-01 22:45 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-09-01 22:43 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-30 18:07 . 2011-07-30 18:07 684297 ----a-w- c:\windows\unhide.exe

2011-07-15 13:29 . 1980-01-01 00:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 1980-01-01 00:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2001-11-28 01:21 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2004-12-07 21:37 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2003-05-12 20:31 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 18:36 . 2003-05-12 20:31 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 1980-01-01 00:00 293376 ----a-w- c:\windows\system32\winsrv.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-08-30_22.53.42 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe

+ 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe

+ 2003-05-12 20:30 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll

- 2003-05-12 20:30 . 2011-04-25 16:11 66560 c:\windows\system32\mshtmled.dll

- 2006-11-08 02:03 . 2011-04-25 16:11 55296 c:\windows\system32\msfeedsbs.dll

+ 2006-11-08 02:03 . 2011-06-23 18:36 55296 c:\windows\system32\msfeedsbs.dll

+ 2001-08-18 02:43 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll

- 2001-08-18 02:43 . 2011-04-25 16:11 25600 c:\windows\system32\jsproxy.dll

- 2009-06-14 10:00 . 2011-04-25 16:11 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2009-06-14 10:00 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2006-05-10 05:23 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll

- 2006-05-10 05:23 . 2011-04-25 16:11 66560 c:\windows\system32\dllcache\mshtmled.dll

- 2007-06-27 14:34 . 2011-04-25 16:11 55296 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2007-06-27 14:34 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2006-10-17 17:05 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll

- 2006-10-17 17:05 . 2011-04-25 16:11 43520 c:\windows\system32\dllcache\licmgr10.dll

+ 2006-05-10 05:22 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll

- 2006-05-10 05:22 . 2011-04-25 16:11 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll

- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll

- 1980-01-01 00:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll

+ 1980-01-01 00:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 12800 c:\windows\ie8updates\KB2559049-IE8\xpshims.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 66560 c:\windows\ie8updates\KB2559049-IE8\mshtmled.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 55296 c:\windows\ie8updates\KB2559049-IE8\msfeedsbs.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 43520 c:\windows\ie8updates\KB2559049-IE8\licmgr10.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 25600 c:\windows\ie8updates\KB2559049-IE8\jsproxy.dll

- 2003-05-12 20:30 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll

+ 2003-05-12 20:30 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll

+ 1980-01-01 00:00 . 2011-04-29 17:25 151552 c:\windows\system32\schannel.dll

+ 2001-08-18 02:43 . 2011-06-23 18:36 206848 c:\windows\system32\occache.dll

- 2001-08-18 02:43 . 2011-04-25 16:11 206848 c:\windows\system32\occache.dll

- 2003-05-12 20:30 . 2011-04-25 16:11 611840 c:\windows\system32\mstime.dll

+ 2003-05-12 20:30 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll

- 2006-11-08 02:03 . 2011-04-25 16:11 602112 c:\windows\system32\msfeeds.dll

+ 2006-11-08 02:03 . 2011-06-23 18:36 602112 c:\windows\system32\msfeeds.dll

- 2004-12-07 16:51 . 2011-04-25 16:11 184320 c:\windows\system32\iepeers.dll

+ 2004-12-07 16:51 . 2011-06-23 18:36 184320 c:\windows\system32\iepeers.dll

+ 2003-05-12 20:31 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll

- 2003-05-12 20:31 . 2011-04-25 16:11 387584 c:\windows\system32\iedkcs32.dll

- 2003-05-12 20:31 . 2011-04-25 12:01 173568 c:\windows\system32\ie4uinit.exe

+ 2003-05-12 20:31 . 2011-06-23 12:05 173568 c:\windows\system32\ie4uinit.exe

- 2001-11-27 18:16 . 2011-04-25 16:26 129296 c:\windows\system32\FNTCACHE.DAT

+ 2001-11-27 18:16 . 2011-09-03 09:43 129296 c:\windows\system32\FNTCACHE.DAT

+ 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll

- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll

+ 2004-12-07 21:37 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll

- 2004-12-07 21:37 . 2011-04-25 16:11 916480 c:\windows\system32\dllcache\wininet.dll

+ 2006-10-17 17:05 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll

- 2006-10-17 17:05 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll

+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll

- 2006-10-17 17:04 . 2011-04-25 16:11 206848 c:\windows\system32\dllcache\occache.dll

+ 2006-10-17 17:04 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll

+ 2006-05-10 05:23 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll

- 2006-05-10 05:23 . 2011-04-25 16:11 611840 c:\windows\system32\dllcache\mstime.dll

- 2007-06-27 14:34 . 2011-04-25 16:11 602112 c:\windows\system32\dllcache\msfeeds.dll

+ 2007-06-27 14:34 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll

- 2008-11-16 11:59 . 2011-04-29 16:19 456320 c:\windows\system32\dllcache\mrxsmb.sys

+ 2008-11-16 11:59 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys

- 2009-06-14 10:00 . 2011-04-25 16:11 247808 c:\windows\system32\dllcache\ieproxy.dll

+ 2009-06-14 10:00 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll

- 2006-05-10 05:22 . 2011-04-25 16:11 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2006-05-10 05:22 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll

- 2010-11-13 11:34 . 2011-04-25 16:11 743424 c:\windows\system32\dllcache\iedvtool.dll

+ 2010-11-13 11:34 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll

- 2006-11-07 08:27 . 2011-04-25 16:11 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2006-11-07 08:27 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll

- 2006-11-07 08:26 . 2011-04-25 12:01 173568 c:\windows\system32\dllcache\ie4uinit.exe

+ 2006-11-07 08:26 . 2011-06-23 12:05 173568 c:\windows\system32\dllcache\ie4uinit.exe

+ 2011-09-02 00:18 . 2011-04-25 16:11 916480 c:\windows\ie8updates\KB2559049-IE8\wininet.dll

+ 2011-09-02 00:18 . 2009-03-08 08:34 105984 c:\windows\ie8updates\KB2559049-IE8\url.dll

+ 2011-09-02 00:18 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2559049-IE8\spuninst\updspapi.dll

+ 2011-09-02 00:18 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2559049-IE8\spuninst\spuninst.exe

+ 2011-09-02 00:18 . 2011-04-25 16:11 206848 c:\windows\ie8updates\KB2559049-IE8\occache.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 611840 c:\windows\ie8updates\KB2559049-IE8\mstime.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 602112 c:\windows\ie8updates\KB2559049-IE8\msfeeds.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 247808 c:\windows\ie8updates\KB2559049-IE8\ieproxy.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 184320 c:\windows\ie8updates\KB2559049-IE8\iepeers.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 743424 c:\windows\ie8updates\KB2559049-IE8\iedvtool.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 387584 c:\windows\ie8updates\KB2559049-IE8\iedkcs32.dll

+ 2011-09-02 00:18 . 2011-04-25 12:01 173568 c:\windows\ie8updates\KB2559049-IE8\ie4uinit.exe

- 2008-11-16 11:59 . 2011-04-29 16:19 456320 c:\windows\Driver Cache\i386\mrxsmb.sys

+ 2008-11-16 11:59 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys

+ 1980-01-01 00:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys

+ 2004-12-07 21:37 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll

+ 2005-01-27 20:35 . 2011-07-25 15:17 5969920 c:\windows\system32\mshtml.dll

+ 2006-10-17 16:57 . 2011-06-23 18:36 1991680 c:\windows\system32\iertutil.dll

- 2006-10-17 16:57 . 2011-04-25 16:11 1991680 c:\windows\system32\iertutil.dll

+ 2008-10-19 11:12 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys

+ 2004-12-07 21:37 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll

+ 2006-05-19 15:08 . 2011-07-25 15:17 5969920 c:\windows\system32\dllcache\mshtml.dll

+ 2007-06-27 14:34 . 2011-06-23 18:36 1991680 c:\windows\system32\dllcache\iertutil.dll

- 2007-06-27 14:34 . 2011-04-25 16:11 1991680 c:\windows\system32\dllcache\iertutil.dll

+ 2011-09-01 22:59 . 2011-09-01 22:59 9049600 c:\windows\Installer\{BDBAAB1B-B364-465E-931D-4E2E2F0E609A}\{D2B942CC-0565-43C6-82F9-DE26EA4928E6}\HIPS2.msi

+ 2011-09-03 10:11 . 2011-09-03 10:11 9048576 c:\windows\Installer\{BDBAAB1B-B364-465E-931D-4E2E2F0E609A}\{5F625AD7-BCE2-4C26-9541-DAEC40B010C6}\HIPS2.msi

+ 2011-09-02 00:18 . 2011-04-25 16:11 1211904 c:\windows\ie8updates\KB2559049-IE8\urlmon.dll

+ 2011-09-02 00:18 . 2011-05-30 22:19 5964800 c:\windows\ie8updates\KB2559049-IE8\mshtml.dll

+ 2011-09-02 00:18 . 2011-04-25 16:11 1991680 c:\windows\ie8updates\KB2559049-IE8\iertutil.dll

+ 2005-05-11 00:47 . 2011-07-30 14:05 52390856 c:\windows\system32\MRT.exe

+ 2006-11-08 02:03 . 2011-06-23 18:36 11081728 c:\windows\system32\ieframe.dll

- 2006-11-08 02:03 . 2011-04-26 14:11 11081728 c:\windows\system32\ieframe.dll

- 2007-06-27 14:34 . 2011-04-26 14:11 11081728 c:\windows\system32\dllcache\ieframe.dll

+ 2007-06-27 14:34 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll

+ 2011-09-02 00:18 . 2011-04-26 14:11 11081728 c:\windows\ie8updates\KB2559049-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" [2006-05-26 1003520]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]

"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-21 171448]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"PCTVOICE"="pctspk.exe" [2001-06-15 155648]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]

"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

ActivClient Agent.lnk - c:\program files\ActivIdentity\ActivClient\acsagent.exe [2007-7-10 130864]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]

2007-07-10 20:28 111616 ----a-w- c:\windows\system32\ackpbsc.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]

2007-07-10 20:28 281088 ----a-w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

.

R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]

S3 cxbu0wdm;SmartTerminal XX44;c:\windows\system32\drivers\cxbu0wdm.sys [7/15/2008 3:20 PM 91008]

S3 NetMate;CATC USB/Ethernet Link device driver;c:\windows\system32\drivers\netmate2.sys [4/25/2000 8:01 AM 35694]

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1698683601-1203367206-2587936551-1005Core.job

- c:\documents and settings\Dennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-03 12:59]

.

2011-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1698683601-1203367206-2587936551-1005UA.job

- c:\documents and settings\Dennis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-03 12:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

.

Notify-PFW - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-05 09:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(488)

c:\windows\system32\ackpbsc.dll

c:\windows\system32\aclog.dll

c:\windows\system32\ACLIBEAY.dll

c:\windows\system32\acevtsub.dll

c:\windows\system32\asphat32.dll

c:\windows\system32\acerrmes.dll

c:\windows\system32\aspcom.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll

c:\program files\ActivIdentity\ActivClient\acunlock.dll

c:\windows\system32\aipingui.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll

c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll

c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll

.

Completion time: 2011-09-05 09:55:42

ComboFix-quarantined-files.txt 2011-09-05 13:55

.

Pre-Run: 27,279,916,544 bytes free

Post-Run: 27,502,504,448 bytes free

.

- - End Of File - - A033272007DD3D87A6D3A24622D9262B

Next action?

dnss

Link to post
Share on other sites

Hi, that looks better!

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

Elise,

MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7704

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/12/2011 7:48:07 PM

mbam-log-2011-09-12 (19-48-05).txt

Scan type: Full scan (C:\|)

Objects scanned: 278530

Time elapsed: 1 hour(s), 37 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The computer seems to process faster. The MBAM scan took an hour less than it did before the infections. Next?

dnss

Link to post
Share on other sites

Do you have any other problem left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Elise,

The computer was scanned with ESET Online Scan. When the scan completed there were no options to List Threats. Below is what came up.

Scan Results: No threats found.

Scanned Files: 79818

Infected Files: 0

Cleaned Files: 0

Total Scan Time: 02:05:39

Scan Status: Finished

Next? I think I will defrag the disk, if needed. dnss

Link to post
Share on other sites

Yes, a defrag is good at this point. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Elise,

Combofix would not uninstall with the combofix /uninstall command. Initially a window opened and it began deleting files and then extracting files. It came to one file and CA came up with an alert to block or allow writing to the registry. I blocked and allowed several times for several files to get the Combofix moving. Finally a window came up stating a file would not open with abort, retry, ignore buttons. I tried both retry and ignore and still no success. I restarted the computer, disabled CA's firewall and snoozed the antivirus and after entering the uninstall command the Combofix window poped up stating that I would have to uninstall CA. I checked the remove program utility under control panel but Combofix was not present. I almost deleted the icon on the desktop but decided to consult you first. I believe I tried 4 or 5 times but to no avail. Next?

dnss

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.