Jump to content

explorer search gets redirected and music in the background


Recommended Posts

I am getting some strange browser behavior. The browser gets redirected to a strange website every now and then. Also, I am getting music playing in the background while no browser is up. The task manager shows iexplorer.exe as a process but no application is running. I shut down iexplorer and the music stops.

As a side note, I was hit bad with a virus last week and ended up doing a system recovery. The result was that most of my program links went to (empty).

I have updated microsoft essentials and ran a full scan. I updated malwarebytes and ran a full scan. I also use cccleaner to clean out the registry and review the startup.

Anyhow....here are scan files.

Thanks for any help you can provide.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19

Run by James at 13:50:21 on 2011-10-22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1479 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\PROGRA~1\TVOBLO~1\nsfx.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\CCleaner\CCleaner.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

mURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [startCCC] "f:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [NetSweeperAgent] c:\progra~1\tvoblo~1\nsfx.exe

mRun: [NetSweeperLSPReset] "c:\program files\tvo blockit\instlsp.exe" -a -z "msafd tcpip" -n "liger" -d "c:\windows\system32\liger.dll"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

LSP: c:\windows\system32\liger.dll

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229889993296

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229948964531

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 66.51.205.100 66.51.206.100

TCP: Interfaces\{5A160213-163E-46E7-881E-E7ECD8B0B6F0} : DhcpNameServer = 66.51.205.100 66.51.206.100

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\james\application data\mozilla\firefox\profiles\tvk7wfi2.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\documents and settings\james\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 MpKsl0a36d165;MpKsl0a36d165;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8562dbbe-8bdc-4ce9-a799-bc91d3d4be58}\MpKsl0a36d165.sys [2011-10-22 28752]

R1 MpKsl822c590a;MpKsl822c590a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dfe61791-e90d-4c0c-84d6-90e6493745d6}\mpksl822c590a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dfe61791-e90d-4c0c-84d6-90e6493745d6}\MpKsl822c590a.sys [?]

R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-10-19 23096]

S1 MpKsl23179f43;MpKsl23179f43;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdbd3d32-e778-416b-a027-112a69fc8a99}\mpksl23179f43.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdbd3d32-e778-416b-a027-112a69fc8a99}\MpKsl23179f43.sys [?]

S1 MpKsl29edc1fc;MpKsl29edc1fc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df80341c-d6b7-4989-9c2b-d46577ee9b2e}\mpksl29edc1fc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df80341c-d6b7-4989-9c2b-d46577ee9b2e}\MpKsl29edc1fc.sys [?]

S1 MpKsl505d14f9;MpKsl505d14f9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d7c33cda-4fe0-4780-837a-d9893e9bcc2f}\mpksl505d14f9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d7c33cda-4fe0-4780-837a-d9893e9bcc2f}\MpKsl505d14f9.sys [?]

S1 MpKsl515e831c;MpKsl515e831c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a2f2f40-da01-4f85-96ef-b5895b2d27ff}\mpksl515e831c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a2f2f40-da01-4f85-96ef-b5895b2d27ff}\MpKsl515e831c.sys [?]

S1 MpKsl65f7101a;MpKsl65f7101a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b44465ad-ed3e-4338-8214-51af3b6ee78c}\mpksl65f7101a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b44465ad-ed3e-4338-8214-51af3b6ee78c}\MpKsl65f7101a.sys [?]

S1 MpKsl6805d02d;MpKsl6805d02d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6fb1196b-c79b-4d32-aa41-193dc5819d51}\mpksl6805d02d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6fb1196b-c79b-4d32-aa41-193dc5819d51}\MpKsl6805d02d.sys [?]

S1 MpKsl97232ac2;MpKsl97232ac2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{807f69ec-bc12-475d-9039-6880fdad67b3}\mpksl97232ac2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{807f69ec-bc12-475d-9039-6880fdad67b3}\MpKsl97232ac2.sys [?]

S1 MpKsl9ec37d04;MpKsl9ec37d04;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb8040c2-2fd1-4b26-a76f-5d96805a2714}\mpksl9ec37d04.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb8040c2-2fd1-4b26-a76f-5d96805a2714}\MpKsl9ec37d04.sys [?]

S1 MpKslb97e225e;MpKslb97e225e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9394f2e4-0811-4e31-8dc4-4e7e7c00ba31}\mpkslb97e225e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9394f2e4-0811-4e31-8dc4-4e7e7c00ba31}\MpKslb97e225e.sys [?]

S1 MpKslba926c06;MpKslba926c06;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b223cc94-bd43-4585-90ba-6926551a4435}\mpkslba926c06.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b223cc94-bd43-4585-90ba-6926551a4435}\MpKslba926c06.sys [?]

S1 MpKslf761a3f3;MpKslf761a3f3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c29ea99-d9e5-4991-97da-a0f7df2b81e4}\mpkslf761a3f3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c29ea99-d9e5-4991-97da-a0f7df2b81e4}\MpKslf761a3f3.sys [?]

S2 gupdate1ca0b373d0dde0a;Google Update Service (gupdate1ca0b373d0dde0a);c:\program files\google\update\GoogleUpdate.exe [2009-7-22 133104]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 cpuz130;cpuz130;\??\c:\docume~1\james\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\james\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-22 133104]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-10-19 3768]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-10-19 208896]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 21504]

S4 nsfxsrv;nsfx service;c:\program files\tvo blockit\nsfxsrv.exe [2008-12-12 45056]

.

=============== Created Last 30 ================

.

2011-10-22 17:34:04 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-22 15:41:59 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8562dbbe-8bdc-4ce9-a799-bc91d3d4be58}\MpKsl0a36d165.sys

2011-10-22 15:41:44 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8562dbbe-8bdc-4ce9-a799-bc91d3d4be58}\offreg.dll

2011-10-22 15:41:41 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8562dbbe-8bdc-4ce9-a799-bc91d3d4be58}\mpengine.dll

2011-10-17 22:04:48 -------- d-sh--w- C:\TEMP

2011-10-15 20:14:46 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-10-15 20:14:46 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-15 19:47:00 -------- d-----w- C:\.lnk

2011-10-11 00:44:10 -------- d-----w- c:\program files\Vuze

2011-10-03 21:56:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-07-28 19:28:59 21064 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2007-06-20 19:16:30 15732984 ----a-w- c:\program files\Google_Earth_BZXD.exe

.

============= FINISH: 13:57:20.34 ===============

attach.txt

dds.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

MBAM Log....

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8039

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/28/2011 9:47:35 PM

mbam-log-2011-10-28 (21-47-34).txt

Scan type: Quick scan

Objects scanned: 241688

Time elapsed: 34 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix log...

ComboFix 11-10-28.04 - James 10/29/2011 0:18.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.121 [GMT -4:00]

Running from: c:\documents and settings\James\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\temp\~DF4605.tmp

c:\temp\~DF500B.tmp

c:\temp\~DF5C2C.tmp

c:\temp\~DFC843.tmp

c:\temp\AdobeARM.log

c:\temp\Av-test.txt

c:\temp\fla6.tmp

c:\temp\hpqddsvc.log

c:\temp\MpCmdRun.log

c:\temp\Perflib_Perfdata_168.dat

c:\temp\Perflib_Perfdata_454.dat

c:\temp\Perflib_Perfdata_52c.dat

c:\temp\Perflib_Perfdata_53c.dat

c:\temp\T30DebugLogFile.txt

c:\temp\WGAErrLog.txt

c:\temp\WGANotify.settings

.

---- Previous Run -------

.

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zuj3n8hl.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\chrome.manifest

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zuj3n8hl.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\chrome\xulcache.jar

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zuj3n8hl.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\defaults\preferences\xulcache.js

c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zuj3n8hl.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\install.rdf

c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\tvk7wfi2.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\chrome.manifest

c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\tvk7wfi2.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\chrome\xulcache.jar

c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\tvk7wfi2.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\defaults\preferences\xulcache.js

c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\tvk7wfi2.default\extensions\{c6bc1aca-bd23-4155-9339-999e69815fe2}\install.rdf

c:\documents and settings\James\bsionxbzef.tmp

c:\documents and settings\James\Local Settings\Application Data\{CFAD237F-D0EA-424E-8C54-9C2F8CBEDACE}\chrome\content\overlay.xul

c:\documents and settings\James\Local Settings\Application Data\{CFAD237F-D0EA-424E-8C54-9C2F8CBEDACE}\install.rdf

c:\temp\~DF1D5F.tmp

c:\temp\~DF2931.tmp

c:\temp\~DF3DEC.tmp

c:\temp\~DF42E6.tmp

c:\temp\~DF42F2.tmp

c:\temp\~DF4345.tmp

c:\temp\~DF4366.tmp

c:\temp\~DF4537.tmp

c:\temp\~DF454D.tmp

c:\temp\~DF4569.tmp

c:\temp\~DF4E7B.tmp

c:\temp\~DF8494.tmp

c:\temp\~DF8ADD.tmp

c:\temp\~DF8E62.tmp

c:\temp\~DF8FA.tmp

c:\temp\~DF9065.tmp

c:\temp\~DF9399.tmp

c:\temp\~DF96F5.tmp

c:\temp\~DF9D4C.tmp

c:\temp\~DFDF91.tmp

c:\temp\~DFE5A3.tmp

c:\temp\~DFF0DD.tmp

c:\temp\a6f5_appcompat.txt

c:\temp\a956_appcompat.txt

c:\temp\AdobeARM.log

c:\temp\Attach.txt

c:\temp\Av-test.txt

c:\temp\dd_clwireg.txt

c:\temp\DDS.txt

c:\temp\dw.log

c:\temp\GUR2.tmp

c:\temp\hpqddsvc.log

c:\temp\MpCmdRun.log

c:\temp\Perflib_Perfdata_154.dat

c:\temp\Perflib_Perfdata_180.dat

c:\temp\Perflib_Perfdata_198.dat

c:\temp\Perflib_Perfdata_1dc.dat

c:\temp\Perflib_Perfdata_1fc.dat

c:\temp\Perflib_Perfdata_204.dat

c:\temp\Perflib_Perfdata_440.dat

c:\temp\Perflib_Perfdata_4b4.dat

c:\temp\Perflib_Perfdata_520.dat

c:\temp\Perflib_Perfdata_5c4.dat

c:\temp\Perflib_Perfdata_684.dat

c:\temp\Perflib_Perfdata_728.dat

c:\temp\Perflib_Perfdata_780.dat

c:\temp\Perflib_Perfdata_7a8.dat

c:\temp\Perflib_Perfdata_82c.dat

c:\temp\Perflib_Perfdata_93c.dat

c:\temp\Perflib_Perfdata_954.dat

c:\temp\T30DebugLogFile.txt

c:\temp\TMP00000001B37CC7CC9F7F1A90

c:\temp\TMP00000002BD33F610E651EFC3

c:\temp\tmp1.tmp

c:\temp\tmp2.tmp

c:\temp\tmp4.tmp

c:\temp\tmp5.tmp

c:\temp\WGAErrLog.txt

c:\temp\WGANotify.settings

c:\windows\system\QTIM32.DLL

c:\windows\system32\crs32.dll

c:\windows\system32\d3d9caps.dat

c:\windows\system32\GroupPolicy\User\Scripts\null

c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini

.

-- Previous Run --

.

c:\windows\system32\svchost.exe . . . is infected!!

.

c:\windows\system32\svchost.exe . . . is infected!!

.

c:\windows\explorer.exe . . . is infected!!

.

--------

.

c:\windows\system32\svchost.exe . . . is infected!!

.

c:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))

.

.

2011-10-29 05:04 . 2011-10-29 05:04 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB01CEFA-D122-418E-AE5E-174851B4CF53}\offreg.dll

2011-10-29 01:00 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB01CEFA-D122-418E-AE5E-174851B4CF53}\mpengine.dll

2011-10-17 22:04 . 2011-10-29 05:09 -------- d-----w- C:\TEMP

2011-10-15 20:14 . 2011-10-15 20:14 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-15 19:47 . 2011-10-15 19:47 -------- d-----w- C:\.lnk

2011-10-11 00:44 . 2011-10-11 00:44 -------- d-----w- c:\program files\Vuze

2011-10-03 21:56 . 2011-10-20 22:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-07 03:48 . 2010-04-08 14:15 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2004-08-10 17:51 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2004-08-10 17:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2004-08-10 17:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2004-08-10 17:50 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2007-06-20 19:16 . 2007-06-20 19:16 15732984 ----a-w- c:\program files\Google_Earth_BZXD.exe

2011-09-22 00:05 . 2011-08-17 23:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
</pre>

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-04-05 . F1CE48089126384F26DB22D20529C94F . 21504 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2010-04-05 . CE6DD76F69471587D68ED47318267C5D . 21504 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe

.

[-] 2010-04-05 . 550B956A7DE1EC3A09EC31CD2B9D0432 . 33280 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2010-04-05 . B9E871E57FD1DEE8CB6A39FE8DCE015B . 33280 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe

.

[-] 2010-04-05 . BD3164F19323205956EC39E7CD691334 . 1040896 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2010-04-05 . 0BD38F62FA95441C1773C150FB101B37 . 1040896 . . [6.00.2900.5512] . . c:\windows\explorer.exe

.

[-] 2010-04-05 . 133DF00CAD8DBECAF66A6927EA4673D3 . 153600 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe

[-] 2010-04-05 . DB280053AB09BD367B1E39AFB12DF2D5 . 153600 . . [5.1.2600.5512] . . c:\windows\regedit.exe

.

[-] 2010-04-05 . A288284FE5979F75B0EB1201C47B184D . 22528 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe

[-] 2010-04-05 . 2E20E93F3BA2C3D3D4D90C2EC634C0A4 . 22528 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

.

[-] 2010-04-05 . 408B2F35023743CD2DC65415CB4F0EDD . 20992 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2010-04-05 . 8BB009192346E7BF9172417F7F19E1FD . 21504 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [N/A]

"NetSweeperAgent"="c:\progra~1\TVOBLO~1\nsfx.exe" [2009-01-08 247501]

"NetSweeperLSPReset"="c:\program files\TVO BLOCKIT\instlsp.exe" [2008-12-05 70968]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]

2008-11-04 05:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

c:\program files\Electronic Arts\EADM\Core.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Cossacks - The Art Of War\\dmcr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7610:TCP"= 7610:TCP:UPnP

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [10/19/2008 9:44 PM 23096]

S1 MpKsl23179f43;MpKsl23179f43;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BDBD3D32-E778-416B-A027-112A69FC8A99}\MpKsl23179f43.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BDBD3D32-E778-416B-A027-112A69FC8A99}\MpKsl23179f43.sys [?]

S1 MpKsl29edc1fc;MpKsl29edc1fc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF80341C-D6B7-4989-9C2B-D46577EE9B2E}\MpKsl29edc1fc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF80341C-D6B7-4989-9C2B-D46577EE9B2E}\MpKsl29edc1fc.sys [?]

S1 MpKsl505d14f9;MpKsl505d14f9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D7C33CDA-4FE0-4780-837A-D9893E9BCC2F}\MpKsl505d14f9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D7C33CDA-4FE0-4780-837A-D9893E9BCC2F}\MpKsl505d14f9.sys [?]

S1 MpKsl515e831c;MpKsl515e831c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A2F2F40-DA01-4F85-96EF-B5895B2D27FF}\MpKsl515e831c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A2F2F40-DA01-4F85-96EF-B5895B2D27FF}\MpKsl515e831c.sys [?]

S1 MpKsl65f7101a;MpKsl65f7101a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B44465AD-ED3E-4338-8214-51AF3B6EE78C}\MpKsl65f7101a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B44465AD-ED3E-4338-8214-51AF3B6EE78C}\MpKsl65f7101a.sys [?]

S1 MpKsl66980241;MpKsl66980241;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8562DBBE-8BDC-4CE9-A799-BC91D3D4BE58}\MpKsl66980241.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8562DBBE-8BDC-4CE9-A799-BC91D3D4BE58}\MpKsl66980241.sys [?]

S1 MpKsl6805d02d;MpKsl6805d02d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FB1196B-C79B-4D32-AA41-193DC5819D51}\MpKsl6805d02d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FB1196B-C79B-4D32-AA41-193DC5819D51}\MpKsl6805d02d.sys [?]

S1 MpKsl7939d4d2;MpKsl7939d4d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A2ECA91-7465-4189-9E3A-21DEC7C9B40D}\MpKsl7939d4d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A2ECA91-7465-4189-9E3A-21DEC7C9B40D}\MpKsl7939d4d2.sys [?]

S1 MpKsl97232ac2;MpKsl97232ac2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{807F69EC-BC12-475D-9039-6880FDAD67B3}\MpKsl97232ac2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{807F69EC-BC12-475D-9039-6880FDAD67B3}\MpKsl97232ac2.sys [?]

S1 MpKsl9ec37d04;MpKsl9ec37d04;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8040C2-2FD1-4B26-A76F-5D96805A2714}\MpKsl9ec37d04.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8040C2-2FD1-4B26-A76F-5D96805A2714}\MpKsl9ec37d04.sys [?]

S1 MpKslb97e225e;MpKslb97e225e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9394F2E4-0811-4E31-8DC4-4E7E7C00BA31}\MpKslb97e225e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9394F2E4-0811-4E31-8DC4-4E7E7C00BA31}\MpKslb97e225e.sys [?]

S1 MpKslba926c06;MpKslba926c06;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B223CC94-BD43-4585-90BA-6926551A4435}\MpKslba926c06.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B223CC94-BD43-4585-90BA-6926551A4435}\MpKslba926c06.sys [?]

S1 MpKslf761a3f3;MpKslf761a3f3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C29EA99-D9E5-4991-97DA-A0F7DF2B81E4}\MpKslf761a3f3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C29EA99-D9E5-4991-97DA-A0F7DF2B81E4}\MpKslf761a3f3.sys [?]

S2 gupdate1ca0b373d0dde0a;Google Update Service (gupdate1ca0b373d0dde0a);c:\program files\Google\Update\GoogleUpdate.exe [7/22/2009 9:44 PM 133104]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 cpuz130;cpuz130;\??\c:\docume~1\James\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\James\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/22/2009 9:44 PM 133104]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [10/19/2008 9:44 PM 3768]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [10/19/2008 9:44 PM 208896]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 1:51 PM 21504]

S4 nsfxsrv;nsfx service;c:\program files\TVO BLOCKIT\nsfxsrv.exe [12/12/2008 3:02 PM 45056]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 01:43]

.

2011-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 01:43]

.

2011-10-29 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

2011-10-28 c:\windows\Tasks\User_Feed_Synchronization-{0C477CCF-06E8-432B-904C-C90AD204D90B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

LSP: c:\windows\system32\liger.dll

TCP: DhcpNameServer = 66.51.205.100 66.51.206.100

FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\tvk7wfi2.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-29 01:07

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3574213415-3524718026-2869522315-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-3574213415-3524718026-2869522315-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:32,4b,e6,dc,1d,47,1b,08,d1,56,18,93,ec,d3,34,80,9f,fa,08,87,7b,c0,f6,

a1,a0,b4,92,9f,38,91,58,a7,1c,10,b8,8e,66,4b,f2,c2,ec,2e,5d,2d,ba,f3,b2,2d,\

"??"=hex:de,c2,f1,00,6b,13,52,1e,8d,7b,f0,04,df,b8,e0,7f

.

[HKEY_USERS\S-1-5-21-3574213415-3524718026-2869522315-1006\Software\SecuROM\License information*]

"datasecu"=hex:20,3b,ab,db,fa,35,5d,09,59,2b,1b,b3,74,0f,a3,2e,9e,83,83,f5,4a,

9a,7d,2e,ed,48,b9,25,9a,b8,71,97,5d,97,9e,82,22,ae,e5,14,95,b9,b7,a2,c4,7a,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(672)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(728)

c:\windows\system32\liger.dll

c:\windows\system32\ieframe.dll

.

- - - - - - - > 'explorer.exe'(3548)

c:\windows\system32\WININET.dll

c:\windows\system32\liger.dll

c:\windows\system32\ieframe.dll

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\wudfhost.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\System32\vssvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\msdtc.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2011-10-29 01:35:31 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-29 05:34

ComboFix2.txt 2010-04-06 19:52

.

Pre-Run: 381,839,458,304 bytes free

Post-Run: 381,769,486,336 bytes free

.

- - End Of File - - F771269D100631662A5F28B13E175EFE

DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19

Run by James at 2:09:39 on 2011-10-29

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.119 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\TVOBLO~1\nsfx.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\QuickTime\qttask.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\internet explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

mURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [startCCC] "f:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [NetSweeperAgent] c:\progra~1\tvoblo~1\nsfx.exe

mRun: [NetSweeperLSPReset] "c:\program files\tvo blockit\instlsp.exe" -a -z "msafd tcpip" -n "liger" -d "c:\windows\system32\liger.dll"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

LSP: c:\windows\system32\liger.dll

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab

DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229889993296

DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229948964531

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{5A160213-163E-46E7-881E-E7ECD8B0B6F0} : DhcpNameServer = 192.168.1.1

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\james\application data\mozilla\firefox\profiles\tvk7wfi2.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - plugin: c:\documents and settings\james\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165648]

R1 MpKsl69d7c342;MpKsl69d7c342;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d30724b8-ff55-4211-bcd9-93e535b66596}\MpKsl69d7c342.sys [2011-10-29 28752]

R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-10-19 23096]

S1 MpKsl23179f43;MpKsl23179f43;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdbd3d32-e778-416b-a027-112a69fc8a99}\mpksl23179f43.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bdbd3d32-e778-416b-a027-112a69fc8a99}\MpKsl23179f43.sys [?]

S1 MpKsl29edc1fc;MpKsl29edc1fc;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df80341c-d6b7-4989-9c2b-d46577ee9b2e}\mpksl29edc1fc.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{df80341c-d6b7-4989-9c2b-d46577ee9b2e}\MpKsl29edc1fc.sys [?]

S1 MpKsl505d14f9;MpKsl505d14f9;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d7c33cda-4fe0-4780-837a-d9893e9bcc2f}\mpksl505d14f9.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d7c33cda-4fe0-4780-837a-d9893e9bcc2f}\MpKsl505d14f9.sys [?]

S1 MpKsl515e831c;MpKsl515e831c;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a2f2f40-da01-4f85-96ef-b5895b2d27ff}\mpksl515e831c.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6a2f2f40-da01-4f85-96ef-b5895b2d27ff}\MpKsl515e831c.sys [?]

S1 MpKsl65f7101a;MpKsl65f7101a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b44465ad-ed3e-4338-8214-51af3b6ee78c}\mpksl65f7101a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b44465ad-ed3e-4338-8214-51af3b6ee78c}\MpKsl65f7101a.sys [?]

S1 MpKsl66980241;MpKsl66980241;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8562dbbe-8bdc-4ce9-a799-bc91d3d4be58}\mpksl66980241.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8562dbbe-8bdc-4ce9-a799-bc91d3d4be58}\MpKsl66980241.sys [?]

S1 MpKsl6805d02d;MpKsl6805d02d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6fb1196b-c79b-4d32-aa41-193dc5819d51}\mpksl6805d02d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6fb1196b-c79b-4d32-aa41-193dc5819d51}\MpKsl6805d02d.sys [?]

S1 MpKsl7939d4d2;MpKsl7939d4d2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1a2eca91-7465-4189-9e3a-21dec7c9b40d}\mpksl7939d4d2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1a2eca91-7465-4189-9e3a-21dec7c9b40d}\MpKsl7939d4d2.sys [?]

S1 MpKsl97232ac2;MpKsl97232ac2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{807f69ec-bc12-475d-9039-6880fdad67b3}\mpksl97232ac2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{807f69ec-bc12-475d-9039-6880fdad67b3}\MpKsl97232ac2.sys [?]

S1 MpKsl9ec37d04;MpKsl9ec37d04;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb8040c2-2fd1-4b26-a76f-5d96805a2714}\mpksl9ec37d04.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb8040c2-2fd1-4b26-a76f-5d96805a2714}\MpKsl9ec37d04.sys [?]

S1 MpKslb97e225e;MpKslb97e225e;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9394f2e4-0811-4e31-8dc4-4e7e7c00ba31}\mpkslb97e225e.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9394f2e4-0811-4e31-8dc4-4e7e7c00ba31}\MpKslb97e225e.sys [?]

S1 MpKslba926c06;MpKslba926c06;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b223cc94-bd43-4585-90ba-6926551a4435}\mpkslba926c06.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b223cc94-bd43-4585-90ba-6926551a4435}\MpKslba926c06.sys [?]

S1 MpKslf761a3f3;MpKslf761a3f3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c29ea99-d9e5-4991-97da-a0f7df2b81e4}\mpkslf761a3f3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3c29ea99-d9e5-4991-97da-a0f7df2b81e4}\MpKslf761a3f3.sys [?]

S2 gupdate1ca0b373d0dde0a;Google Update Service (gupdate1ca0b373d0dde0a);c:\program files\google\update\GoogleUpdate.exe [2009-7-22 133104]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S3 cpuz130;cpuz130;\??\c:\docume~1\james\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\james\locals~1\temp\cpuz130\cpuz_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-22 133104]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-10-19 3768]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-10-19 208896]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 21504]

S4 nsfxsrv;nsfx service;c:\program files\tvo blockit\nsfxsrv.exe [2008-12-12 45056]

.

=============== Created Last 30 ================

.

2011-10-29 06:00:23 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d30724b8-ff55-4211-bcd9-93e535b66596}\MpKsl69d7c342.sys

2011-10-29 06:00:11 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d30724b8-ff55-4211-bcd9-93e535b66596}\offreg.dll

2011-10-29 05:59:48 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d30724b8-ff55-4211-bcd9-93e535b66596}\mpengine.dll

2011-10-29 02:14:24 256000 ----a-w- c:\windows\PEV.exe

2011-10-17 22:04:48 -------- d-sh--w- C:\TEMP

2011-10-15 20:14:46 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-10-15 20:14:46 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-15 19:47:00 -------- d-----w- C:\.lnk

2011-10-11 00:44:10 -------- d-----w- c:\program files\Vuze

2011-10-03 21:56:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2007-06-20 19:16:30 15732984 ----a-w- c:\program files\Google_Earth_BZXD.exe

.

============= FINISH: 2:18:17.73 ===============

Attach log

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 6/22/2005 9:54:49 PM

System Uptime: 10/29/2011 1:54:55 AM (1 hours ago)

.

Motherboard: Dell Inc. | | 0M3918

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 466 GiB total, 355.544 GiB free.

D: is CDROM (UDF)

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1001: 10/10/2011 1:55:21 PM - Software Distribution Service 3.0

RP1002: 10/11/2011 11:51:05 AM - Software Distribution Service 3.0

RP1003: 10/11/2011 11:12:08 PM - Software Distribution Service 3.0

RP1004: 10/12/2011 12:26:08 PM - Software Distribution Service 3.0

RP1005: 10/12/2011 2:10:22 PM - Software Distribution Service 3.0

RP1006: 10/13/2011 6:01:34 PM - Software Distribution Service 3.0

RP1007: 10/13/2011 8:42:22 PM - Software Distribution Service 3.0

RP1008: 10/13/2011 10:49:10 PM - Software Distribution Service 3.0

RP1009: 10/14/2011 12:21:57 PM - Software Distribution Service 3.0

RP1010: 10/14/2011 8:19:58 PM - Software Distribution Service 3.0

RP1011: 10/14/2011 11:20:14 PM - Software Distribution Service 3.0

RP1012: 10/15/2011 3:49:43 PM - Restore Operation

RP1013: 10/15/2011 4:13:06 PM - Restore Operation

RP1014: 10/15/2011 4:14:12 PM - Restore Operation

RP1015: 10/16/2011 6:04:48 AM - Software Distribution Service 3.0

RP1016: 10/16/2011 2:47:21 PM - Software Distribution Service 3.0

RP1017: 10/17/2011 6:15:23 PM - Software Distribution Service 3.0

RP1018: 10/18/2011 6:27:46 PM - System Checkpoint

RP1019: 10/18/2011 11:36:49 PM - Software Distribution Service 3.0

RP1020: 10/20/2011 12:44:06 PM - Software Distribution Service 3.0

RP1021: 10/20/2011 1:59:49 PM - Software Distribution Service 3.0

RP1022: 10/20/2011 7:20:54 PM - Software Distribution Service 3.0

RP1023: 10/21/2011 10:53:47 AM - Software Distribution Service 3.0

RP1024: 10/21/2011 9:39:24 PM - Software Distribution Service 3.0

RP1025: 10/22/2011 6:58:42 AM - Software Distribution Service 3.0

RP1026: 10/22/2011 11:41:40 AM - Software Distribution Service 3.0

RP1027: 10/22/2011 12:38:51 PM - Software Distribution Service 3.0

RP1028: 10/22/2011 2:10:31 PM - Software Distribution Service 3.0

RP1029: 10/22/2011 5:40:25 PM - Software Distribution Service 3.0

RP1030: 10/22/2011 10:34:05 PM - Software Distribution Service 3.0

RP1031: 10/23/2011 1:32:34 PM - Software Distribution Service 3.0

RP1032: 10/23/2011 1:46:46 PM - Software Distribution Service 3.0

RP1033: 10/23/2011 10:49:55 PM - Software Distribution Service 3.0

RP1034: 10/26/2011 8:06:13 PM - Software Distribution Service 3.0

RP1035: 10/26/2011 11:01:03 PM - Software Distribution Service 3.0

RP1036: 10/28/2011 5:35:54 PM - Software Distribution Service 3.0

RP1037: 10/28/2011 9:00:09 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

Acrobat.com

Adobe AIR

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Reader 9.4.6

Age of Empires III

Alien Swarm

Amazon MP3 Downloader 1.0.3

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft MediaImpression

ArcSoft WebCam Companion 2

Assassin's Creed

ATI AVIVO Codecs

ATI Catalyst Install Manager

ATI Display Driver

Baldur's Gate II - Throne of Bhaal

Bonjour

BufferChm

Carbonite

Cards_Calendar_OrderGift_DoMorePlugout

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Italian

CCC Help Japanese

CCC Help Norwegian

CCC Help Spanish

CCC Help Swedish

CCleaner

Compatibility Pack for the 2007 Office system

Copy

Cossacks - The Art Of War

Coupon Printer for Windows

CouponBar

Dell Driver Reset Tool

Dell Picture Studio v3.0

Dell System Restore

DellSupport

Destination Component

DeviceDiscovery

DeviceManagementQFolder

DivX Codec

DivX Version Checker

DJ_AIO_03_F4200_ProductContext

DJ_AIO_03_F4200_Software

DJ_AIO_03_F4200_Software_Min

eSupportQFolder

EVGA Display Driver

F4200

F4200_Help

Fallout 3

Google Earth

Google Update Helper

GPBaseService

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB954550-v5)

HP Deskjet F4200 All-In-One Driver Software 11.0 Rel .3

HP Imaging Device Functions 11.0

HP Photosmart Essential 2.5

HP Photosmart Essential 3.0

HP Smart Web Printing

HP Solution Center 11.0

HP Update

HPProductAssistant

InstaForm Invoices & Estimates Pro

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

Intel® PROSet for Wired Connections

InterActual Player

Internet Explorer Default Page

iTunes

Java Auto Updater

Java 6 Update 19

Learn2 Player (Uninstall Only)

Macromedia Flash Player

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Games for Windows - LIVE

Microsoft Games for Windows - LIVE Redistributable

Microsoft Money 2005

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Office XP Web Components

Microsoft Plus! Digital Media Edition Installer

Microsoft Plus! Photo Story 2 LE

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft WSE 3.0 Runtime

Microsoft XML Parser

MioMore Desktop 2008

Move Networks Media Player for Internet Explorer

Mozilla Firefox 6.0.2 (x86 en-US)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

MSXML 6.0 Parser (KB925673)

My Way Search Assistant

NetWaiting

Newsoft H264 Decoder

Photo Loader 2.3E

Photohands 1.0E

Pintar InterACTIVE VirtuaLab Electricity Lite Version

Pintar InterACTIVE VirtuaLab Electronics Lite Version

Pintar InterACTIVE VirtuaLab Mechanics Lite Version

Portal

PowerDVD

Protected Music Converter 1.0.0.21

PSSWCORE

Qualxserve Service Agreement

QuickTime

RealPlayer Basic

Rome - Total War

Sansa Updater

Savings Bond Wizard

Scan

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2553074)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Office Access 2007 (KB979440)

Security Update for Microsoft Office Excel 2007 (KB2553073)

Security Update for Microsoft Office Groove 2007 (KB2552997)

Security Update for Microsoft Office InfoPath 2007 (KB2510061)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office Publisher 2007 (KB2284697)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB923689)

Sierra Utilities

Skins

Skype Toolbars

Skype™ 4.2

SmartWebPrinting

Smilebox

SolutionCenter

SoundMAX

Speccy

Starcraft

Status

Steam

System Requirements Lab

TableSmith

The Simpsons Hit & Run

The Sims

The Sims™ 2 Double Deluxe

The Sims™ 2 FreeTime

The Sims™ 3

Toolbox

TrayApp

TVO BLOCKIT

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office Outlook 2007 (KB2583910)

Update for Outlook 2007 Junk Email Filter (KB2596560)

V92 PCI Voice Faxmodem

Veetle TV 0.9.18

VideoToolkit01

Viewpoint Media Player

VoiceOver Kit

W Photo Studio

WebEx Support Manager for Internet Explorer

WebFldrs XP

WebReg

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Installer Clean Up

Windows Internet Explorer 7

Windows Live ID Sign-in Assistant

Windows Management Framework Core

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Player 10

Windows Media Player 11

Windows Presentation Foundation

WinRAR 4.01 beta 1 (32-bit)

WordPerfect Office 12

XML Paper Specification Shared Components Pack 1.0

Yahoo! BrowserPlus 2.9.8

Zoom ADSL Modem

.

==== Event Viewer Messages From Past Week ========

.

10/29/2011 12:02:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402

10/26/2011 11:00:01 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402

10/23/2011 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402

10/23/2011 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402

10/23/2011 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402

10/23/2011 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402

10/23/2011 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402

10/23/2011 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402

10/23/2011 3:22:13 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

10/23/2011 3:03:25 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.

10/23/2011 3:01:41 PM, error: Print [23] - Printer Dell Photo Printer 720,0 failed to initialize because a suitable Dell Photo Printer 720 driver could not be found.

10/23/2011 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402

10/23/2011 2:37:06 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running.

10/23/2011 2:36:06 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

10/23/2011 10:50:31 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2572067).

10/23/2011 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402

.

==== End Of File ===========================

Thanks for you time. BTW...now I have the new, odd issue of an hourglass over my taskbar. It is always there.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Please grab a fresh copy of ComboFix, run it, and post its log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

Hi,

My apologies for the delay.

Please grab a fresh copy of ComboFix, run it, and post its log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

A quick question....should I be in Safe Mode when running these utilities?

Link to post
Share on other sites

ComboFix 11-11-02.03 - James 11/02/2011 20:24:01.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.225 [GMT -4:00]

Running from: c:\documents and settings\James\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\temp\~DF33AD.tmp

c:\temp\~DF5ED5.tmp

c:\temp\~DF5EEA.tmp

c:\temp\~DF6035.tmp

c:\temp\~DF6090.tmp

c:\temp\~DF61B5.tmp

c:\temp\~DF6209.tmp

c:\temp\~DF96FB.tmp

c:\temp\~DF99CA.tmp

c:\temp\~DFA537.tmp

c:\temp\~DFC66C.tmp

c:\temp\~DFCBAF.tmp

c:\temp\~DFCE4A.tmp

c:\temp\~DFD77F.tmp

c:\temp\AdobeARM.log

c:\temp\Attach.txt

c:\temp\Av-test.txt

c:\temp\catchme.dll

c:\temp\dd_clwireg.txt

c:\temp\DDS.txt

c:\temp\dw.log

c:\temp\hpqddsvc.log

c:\temp\log.txt

c:\temp\MPC3.tmp

c:\temp\MpCmdRun.log

c:\temp\Perflib_Perfdata_11c.dat

c:\temp\Perflib_Perfdata_150.dat

c:\temp\Perflib_Perfdata_15c.dat

c:\temp\Perflib_Perfdata_42c.dat

c:\temp\Perflib_Perfdata_540.dat

c:\temp\Perflib_Perfdata_6fc.dat

c:\temp\T30DebugLogFile.txt

c:\temp\TMP000000075FEEBEDAE6887537

c:\temp\WGAErrLog.txt

c:\temp\WGANotify.settings

.

c:\windows\system32\svchost.exe . . . is infected!!

.

c:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))

.

.

2011-11-02 22:30 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1E522A28-F938-4A48-A301-9AEFF74B4FA6}\mpengine.dll

2011-11-01 22:51 . 2011-11-01 22:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-01 20:26 . 2011-11-01 20:26 -------- d-----w- C:\ocalServer

2011-10-17 22:04 . 2011-11-03 01:24 -------- d-----w- C:\TEMP

2011-10-15 20:14 . 2011-10-15 20:14 -------- d-----w- c:\windows\system32\wbem\Repository

2011-10-15 19:47 . 2011-10-15 19:47 -------- d-----w- C:\.lnk

2011-10-11 00:44 . 2011-10-11 00:44 -------- d-----w- c:\program files\Vuze

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-20 22:43 . 2011-10-03 21:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-07 03:48 . 2010-04-08 14:15 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41 . 2004-08-10 17:51 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41 . 2004-08-10 17:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2011-09-09 09:12 . 2004-08-10 17:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 13:20 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-08-22 23:48 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll

2011-08-22 23:48 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-08-22 23:48 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-08-22 11:56 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec

2011-08-17 13:49 . 2004-08-10 17:50 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2007-06-20 19:16 . 2007-06-20 19:16 15732984 ----a-w- c:\program files\Google_Earth_BZXD.exe

2011-09-22 00:05 . 2011-08-17 23:02 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Windows Defender\msascui .exe
</pre>

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2010-04-05 . F1CE48089126384F26DB22D20529C94F . 21504 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2010-04-05 . CE6DD76F69471587D68ED47318267C5D . 21504 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe

.

[-] 2010-04-05 . 550B956A7DE1EC3A09EC31CD2B9D0432 . 33280 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2010-04-05 . B9E871E57FD1DEE8CB6A39FE8DCE015B . 33280 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe

.

[-] 2010-04-05 . BD3164F19323205956EC39E7CD691334 . 1040896 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2010-04-05 . 0BD38F62FA95441C1773C150FB101B37 . 1040896 . . [6.00.2900.5512] . . c:\windows\explorer.exe

.

[-] 2010-04-05 . 133DF00CAD8DBECAF66A6927EA4673D3 . 153600 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe

[-] 2010-04-05 . DB280053AB09BD367B1E39AFB12DF2D5 . 153600 . . [5.1.2600.5512] . . c:\windows\regedit.exe

.

[-] 2010-04-05 . A288284FE5979F75B0EB1201C47B184D . 22528 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe

[-] 2010-04-05 . 2E20E93F3BA2C3D3D4D90C2EC634C0A4 . 22528 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

.

[-] 2010-04-05 . 408B2F35023743CD2DC65415CB4F0EDD . 20992 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2010-04-05 . 8BB009192346E7BF9172417F7F19E1FD . 21504 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe

.

((((((((((((((((((((((((((((( SnapShot@2011-10-29_05.08.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-09-22 18:41 . 2011-11-01 20:32 6262188 c:\windows\system32\Restore\rstrlog.dat

+ 2011-07-12 19:50 . 2011-07-12 19:50 17555968 c:\windows\Installer\17c1e8.msp

+ 2011-07-12 19:50 . 2011-07-12 19:50 17555968 c:\windows\Installer\12389c.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="f:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [N/A]

"NetSweeperAgent"="c:\progra~1\TVOBLO~1\nsfx.exe" [2009-01-08 247501]

"NetSweeperLSPReset"="c:\program files\TVO BLOCKIT\instlsp.exe" [2008-12-05 70968]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]

2008-11-04 05:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]

c:\program files\Electronic Arts\EADM\Core.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Cossacks - The Art Of War\\dmcr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"7610:TCP"= 7610:TCP:UPnP

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [10/19/2008 9:44 PM 23096]

S1 MpKsl23179f43;MpKsl23179f43;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BDBD3D32-E778-416B-A027-112A69FC8A99}\MpKsl23179f43.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BDBD3D32-E778-416B-A027-112A69FC8A99}\MpKsl23179f43.sys [?]

S1 MpKsl29edc1fc;MpKsl29edc1fc;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF80341C-D6B7-4989-9C2B-D46577EE9B2E}\MpKsl29edc1fc.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DF80341C-D6B7-4989-9C2B-D46577EE9B2E}\MpKsl29edc1fc.sys [?]

S1 MpKsl505d14f9;MpKsl505d14f9;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D7C33CDA-4FE0-4780-837A-D9893E9BCC2F}\MpKsl505d14f9.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D7C33CDA-4FE0-4780-837A-D9893E9BCC2F}\MpKsl505d14f9.sys [?]

S1 MpKsl515e831c;MpKsl515e831c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A2F2F40-DA01-4F85-96EF-B5895B2D27FF}\MpKsl515e831c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6A2F2F40-DA01-4F85-96EF-B5895B2D27FF}\MpKsl515e831c.sys [?]

S1 MpKsl65f7101a;MpKsl65f7101a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B44465AD-ED3E-4338-8214-51AF3B6EE78C}\MpKsl65f7101a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B44465AD-ED3E-4338-8214-51AF3B6EE78C}\MpKsl65f7101a.sys [?]

S1 MpKsl66980241;MpKsl66980241;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8562DBBE-8BDC-4CE9-A799-BC91D3D4BE58}\MpKsl66980241.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8562DBBE-8BDC-4CE9-A799-BC91D3D4BE58}\MpKsl66980241.sys [?]

S1 MpKsl6805d02d;MpKsl6805d02d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FB1196B-C79B-4D32-AA41-193DC5819D51}\MpKsl6805d02d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6FB1196B-C79B-4D32-AA41-193DC5819D51}\MpKsl6805d02d.sys [?]

S1 MpKsl7939d4d2;MpKsl7939d4d2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A2ECA91-7465-4189-9E3A-21DEC7C9B40D}\MpKsl7939d4d2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A2ECA91-7465-4189-9E3A-21DEC7C9B40D}\MpKsl7939d4d2.sys [?]

S1 MpKsl97232ac2;MpKsl97232ac2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{807F69EC-BC12-475D-9039-6880FDAD67B3}\MpKsl97232ac2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{807F69EC-BC12-475D-9039-6880FDAD67B3}\MpKsl97232ac2.sys [?]

S1 MpKsl9ec37d04;MpKsl9ec37d04;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8040C2-2FD1-4B26-A76F-5D96805A2714}\MpKsl9ec37d04.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB8040C2-2FD1-4B26-A76F-5D96805A2714}\MpKsl9ec37d04.sys [?]

S1 MpKslb97e225e;MpKslb97e225e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9394F2E4-0811-4E31-8DC4-4E7E7C00BA31}\MpKslb97e225e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9394F2E4-0811-4E31-8DC4-4E7E7C00BA31}\MpKslb97e225e.sys [?]

S1 MpKslba926c06;MpKslba926c06;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B223CC94-BD43-4585-90BA-6926551A4435}\MpKslba926c06.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B223CC94-BD43-4585-90BA-6926551A4435}\MpKslba926c06.sys [?]

S1 MpKslf761a3f3;MpKslf761a3f3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C29EA99-D9E5-4991-97DA-A0F7DF2B81E4}\MpKslf761a3f3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C29EA99-D9E5-4991-97DA-A0F7DF2B81E4}\MpKslf761a3f3.sys [?]

S2 gupdate1ca0b373d0dde0a;Google Update Service (gupdate1ca0b373d0dde0a);c:\program files\Google\Update\GoogleUpdate.exe [7/22/2009 9:44 PM 133104]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

S3 cpuz130;cpuz130;\??\c:\docume~1\James\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\James\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/22/2009 9:44 PM 133104]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [10/19/2008 9:44 PM 3768]

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [10/19/2008 9:44 PM 208896]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 1:51 PM 21504]

S4 nsfxsrv;nsfx service;c:\program files\TVO BLOCKIT\nsfxsrv.exe [12/12/2008 3:02 PM 45056]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 01:43]

.

2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 01:43]

.

2011-11-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]

.

2011-11-03 c:\windows\Tasks\User_Feed_Synchronization-{0C477CCF-06E8-432B-904C-C90AD204D90B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local;<local>

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

LSP: c:\windows\system32\liger.dll

TCP: DhcpNameServer = 66.51.205.100 66.51.206.100

FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\tvk7wfi2.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-02 21:22

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\temp\Content.IE5\VHDON3P5\like[1].php 0 bytes

c:\temp\Content.IE5\UVOZI2EX\fastbutton[1].txt 0 bytes

.

scan completed successfully

hidden files: 2

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-3574213415-3524718026-2869522315-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

[HKEY_USERS\S-1-5-21-3574213415-3524718026-2869522315-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:32,4b,e6,dc,1d,47,1b,08,d1,56,18,93,ec,d3,34,80,9f,fa,08,87,7b,c0,f6,

a1,a0,b4,92,9f,38,91,58,a7,1c,10,b8,8e,66,4b,f2,c2,ec,2e,5d,2d,ba,f3,b2,2d,\

"??"=hex:de,c2,f1,00,6b,13,52,1e,8d,7b,f0,04,df,b8,e0,7f

.

[HKEY_USERS\S-1-5-21-3574213415-3524718026-2869522315-1006\Software\SecuROM\License information*]

"datasecu"=hex:20,3b,ab,db,fa,35,5d,09,59,2b,1b,b3,74,0f,a3,2e,9e,83,83,f5,4a,

9a,7d,2e,ed,48,b9,25,9a,b8,71,97,5d,97,9e,82,22,ae,e5,14,95,b9,b7,a2,c4,7a,\

"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(664)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(720)

c:\windows\system32\liger.dll

c:\windows\system32\ieframe.dll

.

- - - - - - - > 'explorer.exe'(2152)

c:\windows\system32\WININET.dll

c:\windows\system32\liger.dll

c:\windows\system32\ieframe.dll

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\TVO BLOCKIT\nsfx.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2011-11-02 21:43:09 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-03 01:42

ComboFix2.txt 2011-10-29 05:35

ComboFix3.txt 2010-04-06 19:52

.

Pre-Run: 381,731,352,576 bytes free

Post-Run: 381,853,351,936 bytes free

.

- - End Of File - - DF420A1D0079EEDA150FF9509583419B

TDSSKILLER unzipped but it the exe did not run. BTW, I am running it under my user, not admin. And under normal windows, not safe mode.

Thanks for your help.

Link to post
Share on other sites

  • Staff

Hi,

Things are not looking good. You have many patched system files without good replacements available. Do you have your Windows CD?

Please go to VirusTotal, and upload the following file(s) for analysis:

c:\windows\system32\svchost.exe

c:\windows\explorer.exe

c:\windows\system32\userinit.exe

Post the results in your reply.

Also zip up that file and attach it to your reply.

Link to post
Share on other sites

Attached is a zip of the files (including the logs below)

///////////////////////////////////////////

c:\windows\explorer.exe LOG

////////////////////////////////////////

File name:

explorer.exe

Submission date:

2011-11-08 00:46:16 (UTC)

Current status:

finished

Result:

2/ 43 (4.7%) VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.11.07.00 2011.11.07 -

AntiVir 7.11.17.40 2011.11.07 TR/Patched.Gen

Antiy-AVL 2.0.3.7 2011.11.07 -

Avast 6.0.1289.0 2011.11.08 -

AVG 10.0.0.1190 2011.11.07 -

BitDefender 7.2 2011.11.08 -

ByteHero 1.0.0.1 2011.11.04 -

CAT-QuickHeal None 2011.11.07 -

ClamAV 0.97.3.0 2011.11.07 -

Commtouch 5.3.2.6 2011.11.07 -

Comodo 10702 2011.11.07 Virus.Win32.Virut.Ce

DrWeb 5.0.2.03300 2011.11.08 -

Emsisoft 5.1.0.11 2011.11.08 -

eSafe 7.0.17.0 2011.11.07 -

eTrust-Vet 36.1.8661 2011.11.08 -

F-Prot 4.6.5.141 2011.11.07 -

F-Secure 9.0.16440.0 2011.11.07 -

Fortinet 4.3.370.0 2011.11.08 -

GData 22 2011.11.08 -

Ikarus T3.1.1.107.0 2011.11.07 -

Jiangmin 13.0.900 2011.11.07 -

K7AntiVirus 9.117.5404 2011.11.07 -

Kaspersky 9.0.0.837 2011.11.07 -

McAfee 5.400.0.1158 2011.11.08 -

McAfee-GW-Edition 2010.1D 2011.11.07 -

Microsoft 1.7801 2011.11.07 -

NOD32 6609 2011.11.08 -

Norman 6.07.13 2011.11.07 -

nProtect 2011-11-07.02 2011.11.07 -

Panda 10.0.3.5 2011.11.07 -

PCTools 8.0.0.5 2011.11.08 -

Prevx 3.0 2011.11.08 -

Rising 23.83.00.02 2011.11.07 -

Sophos 4.71.0 2011.11.08 -

SUPERAntiSpyware 4.40.0.1006 2011.11.08 -

Symantec 20111.2.0.82 2011.11.08 -

TheHacker 6.7.0.1.338 2011.11.06 -

TrendMicro 9.500.0.1008 2011.11.07 -

TrendMicro-HouseCall 9.500.0.1008 2011.11.08 -

VBA32 3.12.16.4 2011.11.04 -

VIPRE 10993 2011.11.08 -

ViRobot 2011.11.7.4759 2011.11.08 -

VirusBuster 14.1.51.0 2011.11.07 -

/////////////////////////////////////

USERINIT LOG

/////////////////////////////////////

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

userinit.exe

Submission date:

2011-11-08 00:53:24 (UTC)

Current status:

finished

Result:

4/ 41 (9.8%) VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.11.07.00 2011.11.07 -

AntiVir 7.11.17.40 2011.11.07 TR/Crypt.XPACK.Gen2

Antiy-AVL 2.0.3.7 2011.11.07 -

Avast 6.0.1289.0 2011.11.08 -

AVG 10.0.0.1190 2011.11.07 -

BitDefender 7.2 2011.11.08 -

ByteHero 1.0.0.1 2011.11.04 -

CAT-QuickHeal 11.00 2011.11.07 -

ClamAV 0.97.3.0 2011.11.07 -

Commtouch 5.3.2.6 2011.11.07 -

Comodo 10702 2011.11.07 -

DrWeb 5.0.2.03300 2011.11.08 -

Emsisoft 5.1.0.11 2011.11.08 Virus.Win32.Virut!IK

eSafe 7.0.17.0 2011.11.07 -

eTrust-Vet 36.1.8661 2011.11.08 -

F-Prot 4.6.5.141 2011.11.07 -

F-Secure 9.0.16440.0 2011.11.07 -

Fortinet 4.3.370.0 2011.11.08 -

GData 22 2011.11.08 -

Ikarus T3.1.1.107.0 2011.11.07 Virus.Win32.Virut

Jiangmin 13.0.900 2011.11.07 -

K7AntiVirus 9.117.5404 2011.11.07 -

Kaspersky 9.0.0.837 2011.11.07 -

McAfee 5.400.0.1158 2011.11.08 -

McAfee-GW-Edition 2010.1D 2011.11.07 Heuristic.LooksLike.Win32.Suspicious.J!85

Microsoft 1.7801 2011.11.07 -

NOD32 6609 2011.11.08 -

Norman 6.07.13 2011.11.07 -

nProtect 2011-11-07.02 2011.11.07 -

Panda 10.0.3.5 2011.11.07 -

PCTools 8.0.0.5 2011.11.08 -

Rising 23.83.00.02 2011.11.07 -

Sophos 4.71.0 2011.11.08 -

SUPERAntiSpyware 4.40.0.1006 2011.11.08 -

Symantec 20111.2.0.82 2011.11.08 -

TheHacker 6.7.0.1.338 2011.11.06 -

TrendMicro 9.500.0.1008 2011.11.07 -

VBA32 3.12.16.4 2011.11.04 -

VIPRE 10993 2011.11.08 -

ViRobot 2011.11.7.4759 2011.11.08 -

VirusBuster 14.1.51.0 2011.11.07 -

Additional information

Show all

MD5 : 550b956a7de1ec3a09ec31cd2b9d0432

SHA1 : 7ec9fa772806190e5002d293363f80c1ae4f2115

SHA256: 3b4bc08790f13f0ba7cac8ae63b94b39f3789ed92959cab491c703c75cc53d30

VT Community

/////////////////////////////////

SVCHOST.EXE LOG

///////////////////////////////

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name:

svchost.exe

Submission date:

2011-11-08 00:56:50 (UTC)

Current status:

finished

Result:

3/ 41 (7.3%) VT Community

not reviewed

Safety score: -

Compact

Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.11.07.00 2011.11.07 -

AntiVir 7.11.17.40 2011.11.07 TR/Crypt.ZPACK.Gen2

Antiy-AVL 2.0.3.7 2011.11.07 -

Avast 6.0.1289.0 2011.11.08 -

AVG 10.0.0.1190 2011.11.07 -

BitDefender 7.2 2011.11.08 -

CAT-QuickHeal 11.00 2011.11.07 -

ClamAV 0.97.3.0 2011.11.07 -

Commtouch 5.3.2.6 2011.11.07 -

Comodo 10702 2011.11.07 -

DrWeb 5.0.2.03300 2011.11.08 -

Emsisoft 5.1.0.11 2011.11.08 -

eSafe 7.0.17.0 2011.11.07 -

eTrust-Vet 36.1.8661 2011.11.08 -

F-Prot 4.6.5.141 2011.11.07 -

F-Secure 9.0.16440.0 2011.11.07 -

Fortinet 4.3.370.0 2011.11.08 -

GData 22 2011.11.08 -

Ikarus T3.1.1.107.0 2011.11.07 -

Jiangmin 13.0.900 2011.11.07 -

K7AntiVirus 9.117.5404 2011.11.07 -

Kaspersky 9.0.0.837 2011.11.07 -

McAfee 5.400.0.1158 2011.11.08 -

McAfee-GW-Edition 2010.1D 2011.11.07 Heuristic.LooksLike.Win32.Suspicious.J!88

Microsoft 1.7801 2011.11.07 -

NOD32 6609 2011.11.08 -

Norman 6.07.13 2011.11.07 -

nProtect 2011-11-07.02 2011.11.07 -

Panda 10.0.3.5 2011.11.07 -

PCTools 8.0.0.5 2011.11.08 -

Prevx 3.0 2011.11.08 -

Rising 23.83.00.02 2011.11.07 -

Sophos 4.71.0 2011.11.08 Sus/BadSVC-A

SUPERAntiSpyware 4.40.0.1006 2011.11.08 -

TheHacker 6.7.0.1.338 2011.11.06 -

TrendMicro 9.500.0.1008 2011.11.07 -

TrendMicro-HouseCall 9.500.0.1008 2011.11.08 -

VBA32 3.12.16.4 2011.11.04 -

VIPRE 10993 2011.11.08 -

ViRobot 2011.11.7.4759 2011.11.08 -

VirusBuster 14.1.51.0 2011.11.07 -

Additional information

Show all

MD5 : f1ce48089126384f26db22d20529c94f

SHA1 : 6eab54f3dd4888288ee5fa7f47f94cebe37a7b0c

SHA256: 55aeb15bab35bd615fb8055aba769a16fcb94f1048d0f660c0cff5b92ea4bbc8

Thanks again for any help. New Compressed (zipped) Folder.zip

Link to post
Share on other sites

I downloaded Kaspersky Virus Tool. I ended up running this and it found a few viruses and cleaned them up.

TDSSkiller subsequently ran but did not find anything. I also redid VirusTotal on my exe's and it still found some items.

But....

I haven't had a hijacked browser or music randomly come up from my machine since.

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

I'm afraid I have some very bad news...

The infection that you can see in the Kaspersky scan, Virus.Win32.Virut is what we call a file-infector.

These are particularly malicious, in that they infect all of your legitimate programs.

The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.

What I highly recommend now is a reformat and a reinstallation of Windows XP.

Please let me know if you are prepared to do so.

You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.

So, with that said, can you get access to a Windows CD of the same version type?

Link to post
Share on other sites

Hi,

My apologies for the delay.

I'm afraid I have some very bad news...

The infection that you can see in the Kaspersky scan, Virus.Win32.Virut is what we call a file-infector.

These are particularly malicious, in that they infect all of your legitimate programs.

The problem is... the virus is very buggy, so it does not do a good job of infecting your files, so any attempt to disinfect and possibly save your files would be futile, in that, due to the buggy virus, we cannot properly disinfect your files.

What I highly recommend now is a reformat and a reinstallation of Windows XP.

Please let me know if you are prepared to do so.

You may backup and save all files except programs (meaning pictures and documents are okay), because if you backup any applications, they will transfer to your clean system, and you will be reinfected.

So, with that said, can you get access to a Windows CD of the same version type?

I have carbonite so my files should be fine. Can I use a different version of windows? I have family laptops that use windows 7.

Link to post
Share on other sites

I have carbonite so my files should be fine. Can I use a different version of windows? I have family laptops that use windows 7.

OK...more details.

1. My backup files are in Carbonite, so I don't mind clearing everything out.

2. I don't have any Windows CDs, either for my current old XP machine or my wife's more recent Windows 7 CD.

Link to post
Share on other sites

OK...more details.

1. My backup files are in Carbonite, so I don't mind clearing everything out.

2. I don't have any Windows CDs, either for my current old XP machine or my wife's more recent Windows 7 CD.

OK...I found the XP Installation CD(s) on ebay and have ordered them.

So where are the instructions on reloading XP? Do I need to reformat the harddrive or something first?

Thanks

Link to post
Share on other sites

Hi,

My apologies for the delay.

Yes I recommend formatting the hard drive before reinstalling Windows. Microsoft has a good article here:

http://support.microsoft.com/kb/313348

Let me know if you have any other questions.

Thanks for all the help. I have successfully reformatted and installed Windows XP on my PC.

Happiness is only one program in my startup.

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.