Jump to content

svchost.exe high cpu usage - hjt log


Recommended Posts

I have had a number of 'infections' lately that have been difficult to remove. Between using MBAM, Spybot S&D, and Symantec Endpoint Protection I think I have a mostly clean system. However, I have a svchost.exe process that is eating up tons of CPU time. It doesn't continuously use all available cycles but it certainly slows things down.

I'm hoping someone can give me some clues about what is causing this.

I've attached a HijackThis log.hijackthis2.log

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:35:33 PM, on 9/3/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/All%20Users/Documents/STEVE.HTM

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\System32\shdocvw.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O12 - Plugin for .NPSSView: C:\PROGRA~1\Netscape\COMMUN~1\Program\Plugins\NPssView.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277570271203

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--

End of file - 10333 bytes

Link to post
Share on other sites

Thank you for the reply.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7680

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/8/2011 6:30:46 PM

mbam-log-2011-09-08 (18-30-46).txt

Scan type: Quick scan

Objects scanned: 298518

Time elapsed: 21 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

------------------------------------------------------

Here is the DDS.TXT file:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Rita at 19:00:21 on 2011-09-08

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.454 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRunOnce: [<NO NAME>]

mExplorerRun: [<NO NAME>] 1 (0x1)

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: aol.com\free

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1314749168718

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277570271203

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx

DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx

TCP: DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

TCP: Interfaces\{CB6BF88E-F37F-4E29-853A-33DACCA68E3E} : DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: PCANotify - PCANotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\rita.vs-sfreisch\application data\mozilla\firefox\profiles\vikry3is.default\

FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/All%20Users/Documents/steve.htm

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npietab.dll

FF - plugin: c:\program files\photodex presenter\npPxPlay.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-7 108392]

R2 CiSmBios;CiSmBios;c:\windows\system32\drivers\CISMBIOS.SYS [2003-5-19 13688]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-1-7 2440120]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-1-7 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110907.017\NAVENG.SYS [2011-9-7 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110907.017\NAVEX15.SYS [2011-9-7 1576312]

R3 vdisk;Virtual Disk Driver;c:\windows\system32\drivers\vdisk.sys [2006-8-29 16384]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]

S2 srv864;srv864;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-1-30 11264]

S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys [2003-5-19 41128]

S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

.scr=AutoCADScriptFile

.

=============== Created Last 30 ================

.

2011-09-08 06:35:58 -------- d-----w- c:\program files\ESET

2011-09-03 23:00:45 388096 ----a-r- c:\documents and settings\rita.vs-sfreisch\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-03 23:00:44 -------- d-----w- c:\program files\Trend Micro

2011-09-02 01:03:33 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2011-09-02 01:03:30 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2011-09-02 01:03:03 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2011-09-02 01:02:30 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2011-09-01 21:38:21 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll

2011-09-01 21:38:15 367576 ----a-w- c:\program files\mozilla firefox\nssckbi.dll

2011-09-01 21:38:14 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll

2011-09-01 21:38:14 105432 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll

2011-09-01 07:21:05 54016 ----a-w- c:\windows\system32\drivers\klxcymhh.sys

2011-08-31 04:07:12 54016 ----a-w- c:\windows\system32\drivers\mqnmyukm.sys

2011-08-31 00:11:56 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-31 00:11:54 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-31 00:11:47 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-21 22:58:45 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\OutWit

2011-08-21 17:17:38 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\Autodesk

2011-08-20 12:50:58 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-08-20 12:50:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-08-20 12:50:56 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-08-20 12:50:56 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-08-20 12:50:56 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-08-20 12:50:56 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-08-20 12:50:55 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-08-20 12:50:55 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-08-20 07:43:53 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\IECompatCache

2011-08-19 10:55:24 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\PrivacIE

2011-08-19 06:26:31 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Adobe

2011-08-19 06:20:37 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Thunderbird

2011-08-19 06:18:08 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Mozilla

2011-08-19 06:14:47 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\XnView

2011-08-19 05:38:30 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Ahead

2011-08-19 05:38:24 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\Malwarebytes

2011-08-19 05:36:58 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Symantec

2011-08-19 05:36:55 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\IETldCache

.

==================== Find3M ====================

.

2011-09-03 14:25:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-23 21:35:36 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST380023A rev.3.33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86DA14C0]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x86da88a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x86da8730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86F57AB8]

3 CLASSPNP[0xF7597FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x86EBE1F8]

\Driver\atapi[0x86E706C0] -> IRP_MJ_CREATE -> 0x86DA14C0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x86DA12E0

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 19:03:11.67 ===============

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I will post these log files separately for clarity.

Here is the TDSSKiller log

2011/09/13 19:56:34.0640 3796 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17

2011/09/13 19:56:35.0218 3796 ================================================================================

2011/09/13 19:56:35.0218 3796 SystemInfo:

2011/09/13 19:56:35.0218 3796

2011/09/13 19:56:35.0218 3796 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/13 19:56:35.0218 3796 Product type: Workstation

2011/09/13 19:56:35.0218 3796 ComputerName: VS-SFREISCH

2011/09/13 19:56:35.0218 3796 UserName: Rita

2011/09/13 19:56:35.0218 3796 Windows directory: C:\WINDOWS

2011/09/13 19:56:35.0218 3796 System windows directory: C:\WINDOWS

2011/09/13 19:56:35.0218 3796 Processor architecture: Intel x86

2011/09/13 19:56:35.0218 3796 Number of processors: 1

2011/09/13 19:56:35.0218 3796 Page size: 0x1000

2011/09/13 19:56:35.0218 3796 Boot type: Normal boot

2011/09/13 19:56:35.0218 3796 ================================================================================

2011/09/13 19:56:39.0265 3796 Initialize success

2011/09/13 19:56:47.0187 2952 ================================================================================

2011/09/13 19:56:47.0187 2952 Scan started

2011/09/13 19:56:47.0187 2952 Mode: Manual;

2011/09/13 19:56:47.0187 2952 ================================================================================

2011/09/13 19:56:53.0750 2952 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/13 19:56:53.0921 2952 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/13 19:56:54.0218 2952 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/09/13 19:56:54.0390 2952 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/09/13 19:56:54.0593 2952 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys

2011/09/13 19:56:54.0734 2952 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys

2011/09/13 19:56:55.0875 2952 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/13 19:56:56.0093 2952 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/13 19:56:56.0343 2952 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/13 19:56:56.0546 2952 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/13 19:56:56.0718 2952 awlegacy (f7e75c620a04963c9a53c3b47da80405) C:\WINDOWS\System32\Drivers\awlegacy.sys

2011/09/13 19:56:56.0953 2952 AW_HOST (7ab1047fcc742bd4abf1016c031969ce) C:\WINDOWS\system32\drivers\aw_host5.sys

2011/09/13 19:56:57.0125 2952 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/09/13 19:56:57.0296 2952 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/13 19:56:57.0640 2952 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/13 19:56:57.0781 2952 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/13 19:56:58.0000 2952 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/13 19:56:58.0312 2952 CiSmBios (1142323b1fa96ba37e1ff04efb61fc7d) C:\WINDOWS\system32\drivers\CiSmBios.sys

2011/09/13 19:56:58.0687 2952 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\WINDOWS\system32\Drivers\COH_Mon.sys

2011/09/13 19:56:59.0031 2952 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2011/09/13 19:56:59.0281 2952 CVPNDRVA (d46b2e0eeaf349f2085f8b164e462156) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2011/09/13 19:56:59.0718 2952 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/13 19:56:59.0984 2952 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/09/13 19:57:00.0265 2952 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/09/13 19:57:00.0453 2952 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/09/13 19:57:00.0609 2952 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/09/13 19:57:00.0796 2952 DNE (694616f813fb627a32c9e32dec133078) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2011/09/13 19:57:01.0093 2952 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/13 19:57:01.0312 2952 E1000 (7dbe45f359b20ae06cdb6a09900e0b18) C:\WINDOWS\system32\DRIVERS\e1000nt5.sys

2011/09/13 19:57:01.0468 2952 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/09/13 19:57:01.0718 2952 enodpl (b4556f3d468c8dcb0b259d9d866cd4c4) C:\WINDOWS\system32\drivers\enodpl.sys

2011/09/13 19:57:01.0890 2952 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/09/13 19:57:02.0203 2952 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/13 19:57:02.0484 2952 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2011/09/13 19:57:02.0656 2952 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/09/13 19:57:02.0812 2952 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/09/13 19:57:02.0968 2952 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/13 19:57:03.0156 2952 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/13 19:57:03.0281 2952 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/13 19:57:03.0468 2952 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/09/13 19:57:03.0609 2952 Gernuwa (ba294768509fa03fcfe766962dee3cad) C:\WINDOWS\system32\drivers\Gernuwa.sys

2011/09/13 19:57:03.0765 2952 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/13 19:57:03.0968 2952 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/13 19:57:04.0390 2952 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/13 19:57:04.0859 2952 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/13 19:57:05.0109 2952 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/09/13 19:57:05.0437 2952 ICDUSB3 (8d083e56ede3a80b214020da9f03143a) C:\WINDOWS\system32\Drivers\ICDUSB3.sys

2011/09/13 19:57:05.0671 2952 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/13 19:57:06.0046 2952 Intel Remote Control Helper (42f19631f13e28f8de7bd3a824b2dd0c) C:\WINDOWS\system32\drivers\rch.sys

2011/09/13 19:57:06.0484 2952 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/09/13 19:57:06.0609 2952 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/13 19:57:06.0796 2952 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/13 19:57:07.0062 2952 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/13 19:57:07.0296 2952 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/13 19:57:07.0453 2952 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/13 19:57:07.0609 2952 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/13 19:57:07.0750 2952 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/13 19:57:07.0937 2952 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/13 19:57:08.0093 2952 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/09/13 19:57:08.0296 2952 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/09/13 19:57:08.0640 2952 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/13 19:57:09.0000 2952 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/13 19:57:09.0218 2952 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/09/13 19:57:09.0375 2952 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/13 19:57:09.0546 2952 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/13 19:57:09.0703 2952 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/13 19:57:09.0968 2952 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/13 19:57:10.0203 2952 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/13 19:57:10.0453 2952 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/09/13 19:57:10.0656 2952 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/13 19:57:10.0843 2952 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/13 19:57:11.0031 2952 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/13 19:57:11.0265 2952 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/13 19:57:11.0437 2952 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

2011/09/13 19:57:11.0656 2952 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110912.020\NAVENG.SYS

2011/09/13 19:57:11.0968 2952 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110912.020\NAVEX15.SYS

2011/09/13 19:57:12.0390 2952 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/09/13 19:57:12.0593 2952 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/13 19:57:12.0765 2952 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/13 19:57:12.0937 2952 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/13 19:57:13.0125 2952 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/13 19:57:13.0343 2952 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/13 19:57:13.0593 2952 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/13 19:57:14.0609 2952 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/09/13 19:57:14.0796 2952 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/13 19:57:15.0046 2952 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/09/13 19:57:15.0265 2952 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/13 19:57:15.0703 2952 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/13 19:57:15.0953 2952 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

2011/09/13 19:57:16.0078 2952 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/13 19:57:16.0218 2952 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/13 19:57:16.0390 2952 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/13 19:57:16.0562 2952 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/13 19:57:16.0859 2952 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/09/13 19:57:17.0046 2952 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/13 19:57:18.0046 2952 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/13 19:57:18.0218 2952 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/09/13 19:57:18.0468 2952 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/13 19:57:18.0656 2952 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/13 19:57:18.0890 2952 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/09/13 19:57:19.0687 2952 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/13 19:57:19.0843 2952 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/13 19:57:20.0031 2952 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/13 19:57:20.0203 2952 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/13 19:57:20.0421 2952 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/13 19:57:20.0625 2952 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/13 19:57:20.0796 2952 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/13 19:57:21.0000 2952 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/13 19:57:21.0234 2952 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/13 19:57:21.0546 2952 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/13 19:57:21.0734 2952 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/13 19:57:21.0906 2952 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/13 19:57:22.0109 2952 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/13 19:57:22.0515 2952 smwdm (8583e3dc5285eb3ddfb74fb646cdf295) C:\WINDOWS\system32\drivers\smwdm.sys

2011/09/13 19:57:22.0875 2952 SPBBCDrv (77780509a16a1df7f2d8531d21ddb9b9) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/09/13 19:57:23.0187 2952 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/09/13 19:57:23.0578 2952 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/13 19:57:23.0781 2952 SRTSP (e217480cc878061d7603a8cdca06c188) C:\WINDOWS\system32\Drivers\SRTSP.SYS

2011/09/13 19:57:23.0968 2952 SRTSPL (cae71704badde6b0d5818acce20673ca) C:\WINDOWS\system32\Drivers\SRTSPL.SYS

2011/09/13 19:57:24.0218 2952 SRTSPX (be6f1ddde2ddab75225d83e6b03a2348) C:\WINDOWS\system32\Drivers\SRTSPX.SYS

2011/09/13 19:57:24.0437 2952 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/13 19:57:24.0656 2952 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/13 19:57:24.0812 2952 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/09/13 19:57:25.0265 2952 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/09/13 19:57:25.0890 2952 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/13 19:57:26.0046 2952 tandpl (126d7b3b4c7b724491c604060e1f4e14) C:\WINDOWS\system32\drivers\tandpl.sys

2011/09/13 19:57:26.0265 2952 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/13 19:57:26.0421 2952 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/13 19:57:26.0687 2952 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/13 19:57:26.0906 2952 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/13 19:57:27.0203 2952 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/09/13 19:57:27.0500 2952 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/09/13 19:57:27.0765 2952 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/13 19:57:27.0921 2952 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/13 19:57:28.0109 2952 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/13 19:57:28.0265 2952 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/09/13 19:57:28.0468 2952 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/13 19:57:28.0671 2952 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys

2011/09/13 19:57:28.0921 2952 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/13 19:57:29.0125 2952 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/09/13 19:57:29.0296 2952 vdisk (c1e33b159968f8923b9bb6e6592fbeb6) C:\WINDOWS\system32\DRIVERS\vdisk.sys

2011/09/13 19:57:29.0453 2952 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/09/13 19:57:29.0781 2952 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/13 19:57:30.0000 2952 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys

2011/09/13 19:57:30.0484 2952 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/13 19:57:30.0687 2952 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys

2011/09/13 19:57:31.0234 2952 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/13 19:57:31.0562 2952 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/09/13 19:57:31.0765 2952 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/09/13 19:57:32.0000 2952 {6080A529-897E-4629-A488-ABA0C29B635E} (61002db7b6efb5711685b9d79b8e8ce6) C:\WINDOWS\system32\drivers\ialmsbw.sys

2011/09/13 19:57:32.0265 2952 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (35ce2baa708ea038ab72359de87bab87) C:\WINDOWS\system32\drivers\ialmkchw.sys

2011/09/13 19:57:32.0343 2952 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0

2011/09/13 19:57:32.0359 2952 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)

2011/09/13 19:57:32.0375 2952 MBR (0x1B8) (c841ba40faaa7b9cb8ad7556c6372d88) \Device\Harddisk1\DR1

2011/09/13 19:57:32.0406 2952 Boot (0x1200) (65fbfd35a53dc88829dc21ff1321c777) \Device\Harddisk0\DR0\Partition0

2011/09/13 19:57:32.0421 2952 Boot (0x1200) (8ae8365adbe6d7913ce7a1df1ac24ef3) \Device\Harddisk1\DR1\Partition0

2011/09/13 19:57:32.0765 2952 ================================================================================

2011/09/13 19:57:32.0765 2952 Scan finished

2011/09/13 19:57:32.0765 2952 ================================================================================

2011/09/13 19:57:32.0796 1172 Detected object count: 1

2011/09/13 19:57:32.0796 1172 Actual detected object count: 1

2011/09/13 19:57:41.0875 1172 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot

2011/09/13 19:57:41.0875 1172 \Device\Harddisk0\DR0 - ok

2011/09/13 19:57:41.0875 1172 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure

2011/09/13 19:57:49.0046 2268 Deinitialize success

Link to post
Share on other sites

Here is the DDS.txt log. For what it's worth, DDS ran really fast this time. Hopefully that's a good sign.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Rita at 20:41:02 on 2011-09-13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.489 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = file:///C:/Documents%20and%20Settings/All%20Users/Documents/STEVE.HTM

mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: aol.com\free

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1314749168718

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277570271203

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx

DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx

TCP: DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

TCP: Interfaces\{CB6BF88E-F37F-4E29-853A-33DACCA68E3E} : DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: PCANotify - PCANotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\rita.vs-sfreisch\application data\mozilla\firefox\profiles\vikry3is.default\

FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/All%20Users/Documents/steve.htm

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npietab.dll

FF - plugin: c:\program files\photodex presenter\npPxPlay.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-7 108392]

R2 CiSmBios;CiSmBios;c:\windows\system32\drivers\CISMBIOS.SYS [2003-5-19 13688]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-1-7 2440120]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-1-7 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110912.020\NAVENG.SYS [2011-9-12 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110912.020\NAVEX15.SYS [2011-9-12 1576312]

R3 vdisk;Virtual Disk Driver;c:\windows\system32\drivers\vdisk.sys [2006-8-29 16384]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]

S2 srv864;srv864;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-1-30 11264]

S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys [2003-5-19 41128]

S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

.scr=AutoCADScriptFile

.

=============== Created Last 30 ================

.

2011-09-14 01:08:22 -------- d-----w- C:\ComboFix

2011-09-09 00:22:26 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Apple Computer

2011-09-08 06:35:58 -------- d-----w- c:\program files\ESET

2011-09-03 23:00:45 388096 ----a-r- c:\documents and settings\rita.vs-sfreisch\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-03 23:00:44 -------- d-----w- c:\program files\Trend Micro

2011-09-02 01:03:33 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2011-09-02 01:03:30 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2011-09-02 01:03:03 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2011-09-02 01:02:30 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2011-09-01 21:38:21 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll

2011-09-01 21:38:15 367576 ----a-w- c:\program files\mozilla firefox\nssckbi.dll

2011-09-01 21:38:14 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll

2011-09-01 21:38:14 105432 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll

2011-09-01 07:21:05 54016 ----a-w- c:\windows\system32\drivers\klxcymhh.sys

2011-08-31 04:07:12 54016 ----a-w- c:\windows\system32\drivers\mqnmyukm.sys

2011-08-31 00:11:56 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-31 00:11:54 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-31 00:11:47 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-21 22:58:45 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\OutWit

2011-08-21 17:17:38 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\Autodesk

2011-08-20 12:50:58 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-08-20 12:50:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-08-20 12:50:56 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-08-20 12:50:56 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-08-20 12:50:56 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-08-20 12:50:56 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-08-20 12:50:55 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-08-20 12:50:55 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-08-20 07:43:53 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\IECompatCache

2011-08-19 10:55:24 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\PrivacIE

2011-08-19 06:26:31 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Adobe

2011-08-19 06:20:37 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Thunderbird

2011-08-19 06:18:08 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Mozilla

2011-08-19 06:14:47 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\XnView

2011-08-19 05:38:30 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Ahead

2011-08-19 05:38:24 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\Malwarebytes

2011-08-19 05:36:58 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Symantec

2011-08-19 05:36:55 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\IETldCache

.

==================== Find3M ====================

.

2011-09-10 13:27:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-23 21:35:36 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

.

============= FINISH: 20:41:25.42 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Link to post
Share on other sites

Thanks for all your help. The system seems to be functioning normally again.

Here are the logs. First the ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=27b3b2b36bf7de49bf999f542dfa4df6

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-08 10:00:25

# local_time=2011-09-08 05:00:25 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 286752 286752 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=180170

# found=17

# cleaned=17

# scan_time=12021

C:\Documents and Settings\Rita\Application Data\Sun\Java\Deployment\cache\6.0\26\552dca1a-33e62a92 Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Rita\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-5ad20d46-7891bfb9.class Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Rita.VS-SFREISCH\Local Settings\Temp\16.tmp a variant of Win32/Kryptik.SJR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Rita.VS-SFREISCH\Local Settings\Temp\thpm1992039729315789792.tmp a variant of Win32/Kryptik.SJR trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\sr8.001\Application Data\Mozilla\Firefox\Profiles\default.56j\extensions\{019163a3-450d-454e-94db-9182368a15ec}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\sr8.001\Application Data\Mozilla\Firefox\Profiles\default.56j\extensions\{85dad3f2-615f-44c8-ae01-2a01bbe355e3}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Bethany\Application Data\Mozilla\Firefox\Profiles\5cbkyec1.default\extensions\{019163a3-450d-454e-94db-9182368a15ec}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Bethany\Application Data\Mozilla\Firefox\Profiles\5cbkyec1.default\extensions\{85dad3f2-615f-44c8-ae01-2a01bbe355e3}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2040\A0203683.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2040\A0203684.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2040\A0203685.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2041\A0203710.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2041\A0203711.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2041\A0203713.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2079\A0219715.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{B2F5C34D-B05A-4AC4-A92D-FE76825A641D}\RP2079\A0219716.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\Temp\Acr8015.tmp JS/Exploit.Pdfka.PDM.Gen trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=27b3b2b36bf7de49bf999f542dfa4df6

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-09 07:27:30

# local_time=2011-09-09 02:27:30 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 366992 366992 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=178978

# found=0

# cleaned=0

# scan_time=9004

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

esets_scanner_update returned -1 esets_gle=1

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=27b3b2b36bf7de49bf999f542dfa4df6

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-09-17 03:29:17

# local_time=2011-09-16 10:29:17 (-0600, Central Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 1045077 1045077 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=165143

# found=0

# cleaned=0

# scan_time=7841

Here is the Checkup log:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Symantec Endpoint Protection

iolo technologies' System Mechanic

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Out of date Spybot installed!

Ad-Aware

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

Java Web Start

Java 6 Update 23

Out of date Java installed!

Adobe Flash Player 10.3.183.7

Mozilla Firefox (x86 en-US..)

Mozilla Thunderbird (6.0.2)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Great news!

Just to be sure, please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

ClearJavaCache::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

-screen317

Link to post
Share on other sites

It *is* good news. I was not looking forward to having to rebuild the system from scratch.

Here are the logs. First ComboFix.txt:

ComboFix 11-09-18.03 - Rita 09/18/2011 15:29:24.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.492 [GMT -5:00]

Running from: c:\documents and settings\Rita.VS-SFREISCH\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Rita.VS-SFREISCH\Desktop\CFScript.txt

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\$MSI31Uninstall_KB893803v2$

c:\windows\$MSI31Uninstall_KB893803v2$\msi.dll

c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe

c:\windows\$MSI31Uninstall_KB893803v2$\msihnd.dll

c:\windows\$MSI31Uninstall_KB893803v2$\msimsg.dll

c:\windows\$MSI31Uninstall_KB893803v2$\msisip.dll

c:\windows\$MSI31Uninstall_KB893803v2$\reg00013

c:\windows\$MSI31Uninstall_KB893803v2$\reg00014

c:\windows\$MSI31Uninstall_KB893803v2$\reg00015

c:\windows\$MSI31Uninstall_KB893803v2$\reg00016

c:\windows\$MSI31Uninstall_KB893803v2$\reg00017

c:\windows\$MSI31Uninstall_KB893803v2$\reg00018

c:\windows\$MSI31Uninstall_KB893803v2$\reg00019

c:\windows\$MSI31Uninstall_KB893803v2$\reg00020

c:\windows\$MSI31Uninstall_KB893803v2$\reg00021

c:\windows\$MSI31Uninstall_KB893803v2$\reg00022

c:\windows\$MSI31Uninstall_KB893803v2$\reg00023

c:\windows\$MSI31Uninstall_KB893803v2$\reg00024

c:\windows\$MSI31Uninstall_KB893803v2$\reg00025

c:\windows\$MSI31Uninstall_KB893803v2$\reg00026

c:\windows\$MSI31Uninstall_KB893803v2$\reg00027

c:\windows\$MSI31Uninstall_KB893803v2$\reg00028

c:\windows\$MSI31Uninstall_KB893803v2$\reg00029

c:\windows\$MSI31Uninstall_KB893803v2$\reg00030

c:\windows\$MSI31Uninstall_KB893803v2$\reg00031

c:\windows\$MSI31Uninstall_KB893803v2$\reg00032

c:\windows\$MSI31Uninstall_KB893803v2$\reg00033

c:\windows\$MSI31Uninstall_KB893803v2$\reg00034

c:\windows\$MSI31Uninstall_KB893803v2$\reg00035

c:\windows\$MSI31Uninstall_KB893803v2$\reg00036

c:\windows\$MSI31Uninstall_KB893803v2$\reg00037

c:\windows\$MSI31Uninstall_KB893803v2$\reg00038

c:\windows\$MSI31Uninstall_KB893803v2$\reg00039

c:\windows\$MSI31Uninstall_KB893803v2$\reg00040

c:\windows\$MSI31Uninstall_KB893803v2$\reg00041

c:\windows\$MSI31Uninstall_KB893803v2$\reg00042

c:\windows\$MSI31Uninstall_KB893803v2$\reg00043

c:\windows\$MSI31Uninstall_KB893803v2$\reg00044

c:\windows\$MSI31Uninstall_KB893803v2$\reg00045

c:\windows\$MSI31Uninstall_KB893803v2$\reg00046

c:\windows\$MSI31Uninstall_KB893803v2$\reg00047

c:\windows\$MSI31Uninstall_KB893803v2$\reg00048

c:\windows\$MSI31Uninstall_KB893803v2$\reg00051

c:\windows\$MSI31Uninstall_KB893803v2$\reg00052

c:\windows\$MSI31Uninstall_KB893803v2$\reg00053

c:\windows\$MSI31Uninstall_KB893803v2$\reg00054

c:\windows\$MSI31Uninstall_KB893803v2$\reg00055

c:\windows\$MSI31Uninstall_KB893803v2$\reg00056

c:\windows\$MSI31Uninstall_KB893803v2$\reg00057

c:\windows\$MSI31Uninstall_KB893803v2$\reg00058

c:\windows\$MSI31Uninstall_KB893803v2$\reg00059

c:\windows\$MSI31Uninstall_KB893803v2$\reg00060

c:\windows\$MSI31Uninstall_KB893803v2$\reg00061

c:\windows\$MSI31Uninstall_KB893803v2$\reg00062

c:\windows\$MSI31Uninstall_KB893803v2$\reg00063

c:\windows\$MSI31Uninstall_KB893803v2$\reg00064

c:\windows\$MSI31Uninstall_KB893803v2$\reg00065

c:\windows\$MSI31Uninstall_KB893803v2$\reg00066

c:\windows\$MSI31Uninstall_KB893803v2$\reg00067

c:\windows\$MSI31Uninstall_KB893803v2$\reg00068

c:\windows\$MSI31Uninstall_KB893803v2$\reg00069

c:\windows\$MSI31Uninstall_KB893803v2$\reg00070

c:\windows\$MSI31Uninstall_KB893803v2$\reg00071

c:\windows\$MSI31Uninstall_KB893803v2$\reg00072

c:\windows\$MSI31Uninstall_KB893803v2$\reg00073

c:\windows\$MSI31Uninstall_KB893803v2$\reg00074

c:\windows\$MSI31Uninstall_KB893803v2$\reg00075

c:\windows\$MSI31Uninstall_KB893803v2$\reg00076

c:\windows\$MSI31Uninstall_KB893803v2$\reg00077

c:\windows\$MSI31Uninstall_KB893803v2$\reg00078

c:\windows\$MSI31Uninstall_KB893803v2$\reg00079

c:\windows\$MSI31Uninstall_KB893803v2$\reg00080

c:\windows\$MSI31Uninstall_KB893803v2$\reg00081

c:\windows\$MSI31Uninstall_KB893803v2$\reg00082

c:\windows\$MSI31Uninstall_KB893803v2$\reg00083

c:\windows\$MSI31Uninstall_KB893803v2$\reg00084

c:\windows\$MSI31Uninstall_KB893803v2$\reg00085

c:\windows\$MSI31Uninstall_KB893803v2$\reg00086

c:\windows\$MSI31Uninstall_KB893803v2$\reg00087

c:\windows\$MSI31Uninstall_KB893803v2$\reg00088

c:\windows\$MSI31Uninstall_KB893803v2$\reg00089

c:\windows\$MSI31Uninstall_KB893803v2$\reg00090

c:\windows\$MSI31Uninstall_KB893803v2$\reg00091

c:\windows\$MSI31Uninstall_KB893803v2$\reg00092

c:\windows\$MSI31Uninstall_KB893803v2$\reg00093

c:\windows\$MSI31Uninstall_KB893803v2$\reg00094

c:\windows\$MSI31Uninstall_KB893803v2$\reg00095

c:\windows\$MSI31Uninstall_KB893803v2$\reg00096

c:\windows\$MSI31Uninstall_KB893803v2$\reg00097

c:\windows\$MSI31Uninstall_KB893803v2$\reg00098

c:\windows\$MSI31Uninstall_KB893803v2$\reg00099

c:\windows\$MSI31Uninstall_KB893803v2$\reg00100

c:\windows\$MSI31Uninstall_KB893803v2$\reg00101

c:\windows\$MSI31Uninstall_KB893803v2$\reg00102

c:\windows\$MSI31Uninstall_KB893803v2$\reg00103

c:\windows\$MSI31Uninstall_KB893803v2$\reg00104

c:\windows\$MSI31Uninstall_KB893803v2$\reg00105

c:\windows\$MSI31Uninstall_KB893803v2$\reg00106

c:\windows\$MSI31Uninstall_KB893803v2$\reg00107

c:\windows\$MSI31Uninstall_KB893803v2$\reg00108

c:\windows\$MSI31Uninstall_KB893803v2$\reg00109

c:\windows\$MSI31Uninstall_KB893803v2$\reg00110

c:\windows\$MSI31Uninstall_KB893803v2$\reg00111

c:\windows\$MSI31Uninstall_KB893803v2$\reg00112

c:\windows\$MSI31Uninstall_KB893803v2$\reg00113

c:\windows\$MSI31Uninstall_KB893803v2$\reg00114

c:\windows\$MSI31Uninstall_KB893803v2$\reg00115

c:\windows\$MSI31Uninstall_KB893803v2$\reg00116

c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe

c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.inf

c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.txt

c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\updspapi.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-08-18 to 2011-09-18 )))))))))))))))))))))))))))))))

.

.

2011-09-17 20:55 . 2011-09-18 03:57 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Local Settings\Application Data\Google

2011-09-09 00:22 . 2011-09-09 00:22 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Local Settings\Application Data\Apple Computer

2011-09-08 06:35 . 2011-09-08 06:35 -------- d-----w- c:\program files\ESET

2011-09-03 23:00 . 2011-09-03 23:00 388096 ----a-r- c:\documents and settings\Rita.VS-SFREISCH\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-03 23:00 . 2011-09-03 23:00 -------- d-----w- c:\program files\Trend Micro

2011-09-03 22:32 . 2011-09-03 22:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-09-03 21:37 . 2011-09-03 21:37 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Application Data\EPSON

2011-09-02 01:03 . 2011-09-02 01:03 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2011-09-02 01:03 . 2011-09-02 01:03 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2011-09-02 01:03 . 2011-09-02 01:03 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2011-09-02 01:02 . 2011-09-02 01:02 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2011-09-01 21:38 . 2011-09-07 17:40 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll

2011-09-01 21:38 . 2011-09-07 17:39 367576 ----a-w- c:\program files\Mozilla Firefox\nssckbi.dll

2011-09-01 21:38 . 2011-09-07 17:39 89048 ----a-w- c:\program files\Mozilla Firefox\nssutil3.dll

2011-09-01 21:38 . 2011-09-07 17:39 105432 ----a-w- c:\program files\Mozilla Firefox\nssdbm3.dll

2011-09-01 07:21 . 2011-09-01 07:21 54016 ----a-w- c:\windows\system32\drivers\klxcymhh.sys

2011-08-31 04:07 . 2011-08-31 04:07 54016 ----a-w- c:\windows\system32\drivers\mqnmyukm.sys

2011-08-31 03:48 . 2011-08-31 03:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-08-31 00:11 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-31 00:11 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-31 00:11 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-25 04:33 . 2011-08-25 04:33 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Application Data\vlc

2011-08-21 22:58 . 2011-08-21 22:58 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Application Data\OutWit

2011-08-21 17:17 . 2011-08-21 17:17 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Application Data\Autodesk

2011-08-20 12:50 . 2011-09-01 21:38 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll

2011-08-20 12:50 . 2011-09-07 17:40 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-08-20 12:50 . 2011-09-07 17:39 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-08-20 12:50 . 2011-09-07 17:39 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-08-20 12:50 . 2011-09-07 17:39 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-08-20 12:50 . 2011-09-01 21:38 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll

2011-08-20 12:50 . 2011-09-07 17:39 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-08-20 12:50 . 2011-09-07 17:39 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-08-20 07:43 . 2011-08-20 07:43 -------- d-sh--w- c:\documents and settings\Rita.VS-SFREISCH\IECompatCache

2011-08-20 01:56 . 2011-08-20 01:56 -------- d-----w- c:\documents and settings\Rita.VS-SFREISCH\Application Data\Ahead

2011-08-19 22:43 . 2011-08-19 22:43 -------- d--h--r- c:\documents and settings\Rita.VS-SFREISCH\Application Data\SecuROM

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-14 01:46 . 2011-09-14 01:46 14891 ----a-w- C:\ComboFix.zip

2011-09-10 13:27 . 2011-06-28 03:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-23 21:35 . 2011-07-23 21:35 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29 . 2001-08-23 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2001-08-23 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52 . 2010-08-28 04:32 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52 . 2010-08-28 04:32 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-24 14:10 . 2003-02-11 15:35 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2004-08-24 01:32 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36 . 2003-02-11 17:15 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2003-02-11 17:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2004-12-17 17:56 385024 ----a-w- c:\windows\system32\html.iec

2011-09-07 17:40 . 2011-08-20 12:50 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-09-14_01.29.47 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-17 01:14 . 2011-09-17 01:14 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat

+ 2011-09-18 04:46 . 2011-09-18 04:46 16384 c:\windows\Temp\Perflib_Perfdata_1a0.dat

+ 2011-08-31 04:52 . 2011-08-31 04:52 43703296 c:\windows\Installer\159b742.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-01-07 115560]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2010-7-7 6144]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

2002-02-15 16:51 24638 ----a-w- c:\windows\system32\PCANotify.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv864]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]

backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]

backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Inventory Scan.LNK]

backup=c:\windows\pss\Inventory Scan.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2005-06-21 22:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2005-06-21 22:48 155648 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Wuser32"=2 (0x2)

"Intel PDS"=2 (0x2)

"Intel File Transfer"=2 (0x2)

"VSS"=3 (0x3)

"SwPrv"=3 (0x3)

"RSVP"=3 (0x3)

"RemoteRegistry"=2 (0x2)

"RDSessMgr"=3 (0x3)

"mnmsrvc"=3 (0x3)

"ClipSrv"=3 (0x3)

"BITS"=2 (0x2)

"EPSONStatusAgent2"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Psi\\Psi.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=

"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"67:UDP"= 67:UDP:DHCP Server

.

R2 CiSmBios;CiSmBios;c:\windows\system32\drivers\CISMBIOS.SYS [5/19/2003 9:03 AM 13688]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/27/2011 7:50 PM 105592]

R3 vdisk;Virtual Disk Driver;c:\windows\system32\drivers\vdisk.sys [8/29/2006 2:05 PM 16384]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2009 9:11 PM 135664]

S2 srv864;srv864;c:\windows\system32\svchost.exe -k netsvcs [8/23/2001 7:00 AM 14336]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/7/2009 12:10 PM 23888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2009 9:11 PM 135664]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [1/30/2010 5:57 PM 11264]

S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys [5/19/2003 9:04 AM 41128]

S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 12:55 PM 411244]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-18 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-27 03:50]

.

2011-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 02:11]

.

2011-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 02:11]

.

2011-08-28 c:\windows\Tasks\HP DArC Task 2003-04-11 09:53ewlett-PackardHewlett-Packard Companyeskjet51002003-04-11 20:25Y3BL4S0FZ7A.job

- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-11 20:25]

.

2010-05-16 c:\windows\Tasks\switchShakeIcon.job

- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-07 16:56]

.

2007-02-07 c:\windows\Tasks\System Lifeguard 2 Shutdown Task.job

- c:\program files\System LifeGuard 2\SD.exe [2006-09-11 15:01]

.

2011-07-22 c:\windows\Tasks\wavepadShakeIcon.job

- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-05-07 16:55]

.

.

------- Supplementary Scan -------

.

uStart Page = file:///C:/Documents%20and%20Settings/All%20Users/Documents/STEVE.HTM

mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: aol.com\free

TCP: DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

FF - ProfilePath - c:\documents and settings\Rita.VS-SFREISCH\Application Data\Mozilla\Firefox\Profiles\vikry3is.default\

FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/All%20Users/Documents/steve.htm

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-18 15:45

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srv864]

"servicedll"="\\?\globalroot\Device\HarddiskVolume1\WINDOWS\Temp\srv864.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-4021508746-334337264-2154702590-1014\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:e7,88,56,a3,6d,6e,3e,03,6b,2d,a7,3e,ba,4a,9d,77,c0,ea,d2,2a,17,f9,5f,

f8,6c,74,a0,35,5e,43,4a,70,30,36,77,22,21,fb,b3,38,96,31,31,c9,56,77,c4,b3,\

"??"=hex:20,51,a4,a7,98,0e,40,9d,99,9c,20,9a,08,5c,f5,1f

.

Completion time: 2011-09-18 15:49:42

ComboFix-quarantined-files.txt 2011-09-18 20:49

ComboFix2.txt 2011-09-14 01:33

ComboFix3.txt 2011-07-27 23:50

.

Pre-Run: 9,494,491,136 bytes free

Post-Run: 9,635,770,368 bytes free

.

- - End Of File - - 41D97F1C3792804EB4C1C97F7F65A2E2

Link to post
Share on other sites

Here is the DDS.txt log:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by Rita at 15:55:35 on 2011-09-18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.485 [GMT -5:00]

.

AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = file:///C:/Documents%20and%20Settings/All%20Users/Documents/STEVE.HTM

mStart Page = hxxp://www.symantec.com/enterprise/security_response/index.jsp

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: aol.com\free

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1314749168718

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277570271203

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx

DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx

TCP: DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

TCP: Interfaces\{CB6BF88E-F37F-4E29-853A-33DACCA68E3E} : DhcpNameServer = 24.196.64.53 68.115.71.53 24.159.193.40

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxsrvc.dll

Notify: PCANotify - PCANotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\rita.vs-sfreisch\application data\mozilla\firefox\profiles\vikry3is.default\

FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/All%20Users/Documents/steve.htm

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npietab.dll

FF - plugin: c:\program files\photodex presenter\npPxPlay.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2002-2-11 33496]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.SYS [2000-9-11 10816]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-7 108392]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-1-7 108392]

R2 CiSmBios;CiSmBios;c:\windows\system32\drivers\CISMBIOS.SYS [2003-5-19 13688]

R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-1-7 2440120]

R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-1-7 23888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-7-27 105592]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110916.035\NAVENG.SYS [2011-9-17 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110916.035\NAVEX15.SYS [2011-9-17 1576312]

R3 vdisk;Virtual Disk Driver;c:\windows\system32\drivers\vdisk.sys [2006-8-29 16384]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]

S2 srv864;srv864;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\AWHOST32.EXE [2002-2-15 114749]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2010-1-30 11264]

S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys [2003-5-19 41128]

S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [2000-10-19 411244]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== File Associations ===============

.

.scr=AutoCADScriptFile

.

=============== Created Last 30 ================

.

2011-09-18 20:27:12 -------- d-----w- C:\ComboFix

2011-09-17 20:55:44 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Google

2011-09-09 00:22:26 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\local settings\application data\Apple Computer

2011-09-08 06:35:58 -------- d-----w- c:\program files\ESET

2011-09-03 23:00:45 388096 ----a-r- c:\documents and settings\rita.vs-sfreisch\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-09-03 23:00:44 -------- d-----w- c:\program files\Trend Micro

2011-09-02 01:03:33 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2011-09-02 01:03:30 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)

2011-09-02 01:03:03 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)

2011-09-02 01:02:30 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2011-09-01 21:38:21 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll

2011-09-01 21:38:15 367576 ----a-w- c:\program files\mozilla firefox\nssckbi.dll

2011-09-01 21:38:14 89048 ----a-w- c:\program files\mozilla firefox\nssutil3.dll

2011-09-01 21:38:14 105432 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll

2011-09-01 07:21:05 54016 ----a-w- c:\windows\system32\drivers\klxcymhh.sys

2011-08-31 04:07:12 54016 ----a-w- c:\windows\system32\drivers\mqnmyukm.sys

2011-08-31 00:11:56 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys

2011-08-31 00:11:54 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-31 00:11:47 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-08-21 22:58:45 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\OutWit

2011-08-21 17:17:38 -------- d-----w- c:\documents and settings\rita.vs-sfreisch\application data\Autodesk

2011-08-20 12:50:58 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-08-20 12:50:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-08-20 12:50:56 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-08-20 12:50:56 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-08-20 12:50:56 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-08-20 12:50:56 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-08-20 12:50:55 785368 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-08-20 12:50:55 1846232 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-08-20 07:43:53 -------- d-sh--w- c:\documents and settings\rita.vs-sfreisch\IECompatCache

.

==================== Find3M ====================

.

2011-09-10 13:27:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-23 21:35:36 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

.

============= FINISH: 15:56:04.43 ===============

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program(s) (if present):

Spybot (since you aren't updating it)

Ad-Aware

HijackThis 2.0.2

Java Web Start

Java™ 6 Update 23

Restart your computer.

Get the latest version of Java.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Great news!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.