Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox Crashes and computer freezes up


  • This topic is locked This topic is locked
15 replies to this topic

#1 vphn

vphn

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 04 December 2009 - 01:46 PM

Suspect some spyware or virus has taken hold of my computer. Firefox crashes after about 5 minutes and the computer freezes up which requires me to physically turn it off. Cannot use ctrl-al-delete or anything.
Please help.

Vincent


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:10 PM, on 12/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} (WebDvr3 Class) - http://68.239.81.172:8000/WebDvr3.cab
O16 - DPF: {D25A9538-F962-4501-9E68-D7C3DDECB148} (xWebView2 Control) - http://72.66.127.28/template/xWebView2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: FireDaemon Service: HLDS (HLDS) - Unknown owner - C:\Program Files\FireDaemon\FireDaemon.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 8818 bytes

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:04:07 AM

Posted 18 December 2009 - 08:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 December 2009 - 12:42 PM

Thank you for responding to my post.

My computer freezes up soon after I open an internet browser (either firefox or ie). I then have to physically shut off the computer using the power button.

The only steps I have taken are:

1) Using ATF cleaner
2) Scanning with Malwarebytes Anti-Malware program.
3) And conducting a virus scan with AVG

A couple trojans popped up on the scan, although I forget their names at this time.

I really appreciate your help.

Here is my DDS log:









DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 12:34:27.04 on Sat 12/19/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2813 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GEST] m‘|\ü
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link wireless n usb adapter dwa-130\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} - hxxp://68.239.81.172:8000/WebDvr3.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D25A9538-F962-4501-9E68-D7C3DDECB148} - hxxp://72.66.127.28/template/xWebView2.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\vu3kjigr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-5-13 68136]
S2 HLDS;FireDaemon Service: HLDS;c:\program files\firedaemon\firedaemon.exe -s --> c:\program files\firedaemon\FireDaemon.exe -s [?]
S3 {429C823E-AF65-4C64-9ACCFAAF1DF2FF21};{429C823E-AF65-4C64-9ACCFAAF1DF2FF21};c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 {6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9};{6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9};\??\c:\windows\temp\18ee.tmp --> c:\windows\temp\18EE.tmp [?]

=============== Created Last 30 ================

2009-12-04 16:56:08 0 d-----w- c:\program files\ESET
2009-12-04 16:55:26 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2009-12-04 16:55:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 16:55:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-04 16:55:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 16:55:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 16:42:40 0 d-----w- C:\92d0b7c0719f9314f053de
2009-12-04 16:31:30 0 d-----w- c:\program files\Trend Micro
2009-12-03 21:03:19 0 d-----w- c:\program files\AVG
2009-12-03 20:42:08 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-12-19 17:33:16 16608 ----a-w- c:\windows\gdrv.sys
2009-09-25 05:56:36 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 12:34:39.28 ===============

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 19 December 2009 - 04:07 PM

Hello and welcome.

I would like to see a rootkit scan please.

Please run RootRepeal as described here in Step #7: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If RootRepeal doesn't work let me know what happened and run GMER instead. If it does work, then skip the GMER step below and post the RootRepeal log in your next reply.
---
Download and Run GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 21 December 2009 - 01:17 PM

Here is the RootRepeal Log:



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/21 12:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4606000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB8624000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2942000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: c:\documents and settings\helpassistant\ntuser.dat
Status: Size mismatch (API: 3227648, Raw: 3235840)

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030544.mst
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030562.mst
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030580.mst
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030598.inf
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030613.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030631.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030649.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030667.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030685.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030703.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030721.DES
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030739.ttf
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030757.ttf
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030775.cat
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030793.inf
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030809.cat
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030827.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030828.crl
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030829.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030830.INI
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030831.mfl
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030832.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030833.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030834.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030835.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030836.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030837.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030838.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030839.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030840.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030841.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030842.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030843.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030844.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030845.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030846.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030847.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030848.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030849.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030850.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030851.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030852.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030853.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030854.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030855.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030856.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030857.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030858.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030859.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030860.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030861.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030862.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030863.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030864.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030865.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030866.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030867.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030868.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030869.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030870.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030871.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030872.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030873.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030874.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030875.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030876.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030877.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030878.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030879.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030880.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030881.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030882.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030883.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030884.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030885.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030886.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030887.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030888.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030889.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030890.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030891.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030892.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030893.ini
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030894.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030895.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030896.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030897.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030898.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030899.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030900.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030901.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030902.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030903.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030904.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030905.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030906.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030907.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030908.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030909.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030910.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030911.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030912.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030913.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030914.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030915.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030916.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030917.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030918.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030919.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030920.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030921.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030922.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030923.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030924.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030925.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030926.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030927.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030928.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030929.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030930.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030931.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030932.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030933.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030934.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030935.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030936.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030937.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030938.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030939.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030940.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030941.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030942.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030943.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030944.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030945.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030946.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030947.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030948.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030949.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030950.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030951.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030952.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030953.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030954.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030955.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030956.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030957.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030958.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030959.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030960.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030961.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030962.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030963.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030964.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030965.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030966.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030967.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030968.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030969.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030970.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030971.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030972.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030973.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030974.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030975.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030976.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030977.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030978.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030979.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030980.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030981.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030982.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030983.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030984.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030985.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030986.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030987.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030988.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030989.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030990.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030991.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030992.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030993.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{C42DFEE2-FC32-42A5-812B-8A3F08331013}\RP250\A0030994.lnk
Status: Visible to the Windows API, but not on disk.
Stealth Objects
-------------------
Object: Hidden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5b6690 Size: 31

==EOF==

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 21 December 2009 - 01:21 PM

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 21 December 2009 - 02:07 PM

Here is the ComboFix log:



ComboFix 09-12-20.08 - User 12/21/2009 13:41:29.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2978 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-04 16:56 . 2009-12-04 16:56 -------- d-----w- c:\program files\ESET
2009-12-04 16:55 . 2009-12-04 16:55 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-04 16:55 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 16:55 . 2009-12-04 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-04 16:55 . 2009-12-04 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 16:55 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 16:42 . 2009-12-04 16:42 -------- d-----w- C:\92d0b7c0719f9314f053de
2009-12-04 16:31 . 2009-12-04 16:31 -------- d-----w- c:\program files\Trend Micro
2009-12-03 21:03 . 2009-12-03 21:03 -------- d-----w- c:\program files\AVG
2009-12-03 15:26 . 2009-12-03 15:26 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-03 15:23 . 2009-12-03 15:23 -------- d-----w- c:\documents and settings\HelpAssistant\IGC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 18:47 . 2009-05-13 13:25 16608 ----a-w- c:\windows\gdrv.sys
2009-12-09 00:44 . 2009-06-03 21:14 -------- d-----w- c:\documents and settings\User\Application Data\U3
2009-11-28 03:25 . 2009-11-28 03:25 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 19:56 . 2009-05-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-24 01:42 . 2009-05-19 02:56 -------- d-----w- c:\documents and settings\User\Application Data\Image Zone Express
2009-10-24 01:42 . 2009-05-19 02:56 -------- d-----w- c:\documents and settings\User\Application Data\Printer Info Cache
2009-09-25 05:56 . 2004-08-04 12:00 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m‘|\ü" [X]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-5-13 972064]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2008-2-15 300320]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2009-5-19 20512768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3406:TCP"= 3406:TCP:Services

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [5/13/2009 8:26 AM 68136]
S2 HLDS;FireDaemon Service: HLDS;c:\program files\FireDaemon\FireDaemon.exe -s --> c:\program files\FireDaemon\FireDaemon.exe -s [?]
S3 {429C823E-AF65-4C64-9ACCFAAF1DF2FF21};{429C823E-AF65-4C64-9ACCFAAF1DF2FF21};c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
S3 {6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9};{6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9};\??\c:\windows\TEMP\18EE.tmp --> c:\windows\TEMP\18EE.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} - hxxp://68.239.81.172:8000/WebDvr3.cab
DPF: {D25A9538-F962-4501-9E68-D7C3DDECB148} - hxxp://72.66.127.28/template/xWebView2.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\vu3kjigr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-{C0A47779-CB82-41C2-B4A0-F3D2685BDEF6} - c:\documents and settings\User\Local Settings\Application Data\{3172B8BC-F609-4304-8270-5BEC863F5E5F}\FireDaemon-Pro-1.9.2355.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 13:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{429C823E-AF65-4C64-9ACCFAAF1DF2FF21}]
"ServiceDll"="c:\docume~1\User\LOCALS~1\Temp\18E8.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9}]
"ImagePath"="\??\c:\windows\TEMP\18EE.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\SOUNDMAN.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2009-12-21 13:51:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-21 18:51

Pre-Run: 945,635,958,784 bytes free
Post-Run: 946,051,416,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 41F17A23AA16A614F44434F44FE3B25F

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 21 December 2009 - 03:04 PM

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Then Run GMER. Instructions can be found in Step #4. Post the log once done too.

Thanks.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 December 2009 - 02:23 PM

Here is the MBAM log:


Malwarebytes' Anti-Malware 1.42
Database version: 3405
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/21/2009 3:18:00 PM
mbam-log-2009-12-21 (15-18-00).txt

Scan type: Quick Scan
Objects scanned: 118194
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Here is the GMER log:



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-22 14:18:35
Windows 5.1.2600 Service Pack 2
Running: 0ciuv9ls.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kfldifod.sys


---- Processes - GMER 1.0.15 ----

Process (*** hidden *** ) 2164

---- EOF - GMER 1.0.15 ----




I am not sure why the GMER log is truncated. I am sure I followed your directions carefully.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 22 December 2009 - 03:40 PM

Take a new DDS run for me and post back with both logs in your next reply.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 December 2009 - 06:06 PM

Here is the first DDS log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 18:03:00.00 on Tue 12/22/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2818 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [GEST] m‘|\ü
mRun: [AlcWzrd] ALCWZRD.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link wireless n usb adapter dwa-130\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} - hxxp://68.239.81.172:8000/WebDvr3.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D25A9538-F962-4501-9E68-D7C3DDECB148} - hxxp://72.66.127.28/template/xWebView2.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\vu3kjigr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 {6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9};{6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9};\??\c:\windows\temp\18ee.tmp --> c:\windows\temp\18EE.tmp [?]

=============== Created Last 30 ================

2009-12-21 19:41:03 0 d-s---w- C:\ComboFix
2009-12-21 18:39:18 0 d-sha-r- C:\cmdcons
2009-12-21 18:38:42 98816 ----a-w- c:\windows\sed.exe
2009-12-21 18:38:42 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 18:38:42 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 18:38:42 161792 ----a-w- c:\windows\SWREG.exe
2009-12-04 16:56:08 0 d-----w- c:\program files\ESET
2009-12-04 16:55:26 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2009-12-04 16:55:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 16:55:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-04 16:55:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 16:55:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 16:42:40 0 d-----w- C:\92d0b7c0719f9314f053de
2009-12-04 16:31:30 0 d-----w- c:\program files\Trend Micro
2009-12-03 21:03:19 0 d-----w- c:\program files\AVG
2009-12-03 20:42:08 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-12-22 17:03:03 16608 ----a-w- c:\windows\gdrv.sys
2009-09-25 05:56:36 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 18:03:36.17 ===============



Here is the second DDS log:




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/13/2009 9:08:32 AM
System Uptime: 12/22/2009 12:02:31 PM (6 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3LR
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 881.074 GiB free.
D: is CDROM ()
E: is Removable
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP168: 9/22/2009 2:03:32 PM - System Checkpoint
RP169: 9/23/2009 2:40:25 PM - System Checkpoint
RP170: 9/24/2009 3:16:56 PM - System Checkpoint
RP171: 9/25/2009 3:20:23 PM - System Checkpoint
RP172: 9/26/2009 5:08:23 PM - System Checkpoint
RP173: 9/27/2009 5:24:26 PM - System Checkpoint
RP174: 9/28/2009 5:34:17 PM - System Checkpoint
RP175: 9/29/2009 6:16:30 PM - System Checkpoint
RP176: 9/30/2009 7:12:26 PM - System Checkpoint
RP177: 10/1/2009 8:28:39 PM - System Checkpoint
RP178: 10/2/2009 9:22:31 PM - System Checkpoint
RP179: 10/3/2009 10:24:23 PM - System Checkpoint
RP180: 10/4/2009 11:13:28 PM - System Checkpoint
RP181: 10/5/2009 11:24:23 PM - System Checkpoint
RP182: 10/7/2009 12:12:23 AM - System Checkpoint
RP183: 10/8/2009 12:24:23 AM - System Checkpoint
RP184: 10/9/2009 1:41:21 AM - System Checkpoint
RP185: 10/10/2009 2:09:25 AM - System Checkpoint
RP186: 10/11/2009 3:27:30 AM - System Checkpoint
RP187: 10/12/2009 4:20:15 AM - System Checkpoint
RP188: 10/13/2009 3:00:13 AM - Software Distribution Service 3.0
RP189: 10/14/2009 3:32:24 AM - System Checkpoint
RP190: 10/15/2009 3:00:13 AM - Software Distribution Service 3.0
RP191: 10/16/2009 3:17:50 AM - System Checkpoint
RP192: 10/17/2009 3:36:27 AM - System Checkpoint
RP193: 10/18/2009 4:24:27 AM - System Checkpoint
RP194: 10/19/2009 4:36:27 AM - System Checkpoint
RP195: 10/20/2009 5:24:27 AM - System Checkpoint
RP196: 10/21/2009 5:36:27 AM - System Checkpoint
RP197: 10/22/2009 6:24:27 AM - System Checkpoint
RP198: 10/23/2009 6:36:27 AM - System Checkpoint
RP199: 10/24/2009 8:19:21 AM - System Checkpoint
RP200: 10/25/2009 8:22:21 AM - System Checkpoint
RP201: 10/26/2009 8:29:12 AM - System Checkpoint
RP202: 10/27/2009 8:34:21 AM - System Checkpoint
RP203: 10/28/2009 11:07:58 AM - System Checkpoint
RP204: 10/29/2009 11:56:33 AM - System Checkpoint
RP205: 10/30/2009 12:34:21 PM - System Checkpoint
RP206: 10/31/2009 12:38:23 PM - System Checkpoint
RP207: 11/1/2009 1:38:23 PM - System Checkpoint
RP208: 11/2/2009 3:45:33 PM - System Checkpoint
RP209: 11/3/2009 3:50:05 PM - System Checkpoint
RP210: 11/4/2009 4:41:51 PM - System Checkpoint
RP211: 11/5/2009 5:26:23 PM - System Checkpoint
RP212: 11/6/2009 6:02:45 PM - System Checkpoint
RP213: 11/7/2009 6:37:09 PM - System Checkpoint
RP214: 11/8/2009 6:25:09 PM - System Checkpoint
RP215: 11/9/2009 7:05:43 PM - System Checkpoint
RP216: 11/10/2009 7:25:09 PM - System Checkpoint
RP217: 11/11/2009 7:37:09 PM - System Checkpoint
RP218: 11/12/2009 8:25:09 PM - System Checkpoint
RP219: 11/13/2009 8:57:54 PM - System Checkpoint
RP220: 11/14/2009 9:44:26 PM - System Checkpoint
RP221: 11/15/2009 10:26:16 PM - System Checkpoint
RP222: 11/16/2009 10:38:16 PM - System Checkpoint
RP223: 11/17/2009 11:43:02 PM - System Checkpoint
RP224: 11/19/2009 4:24:21 AM - System Checkpoint
RP225: 11/20/2009 4:26:16 AM - System Checkpoint
RP226: 11/21/2009 4:37:35 AM - System Checkpoint
RP227: 11/22/2009 4:48:56 AM - System Checkpoint
RP228: 11/23/2009 5:48:56 AM - System Checkpoint
RP229: 11/25/2009 10:57:40 AM - System Checkpoint
RP230: 11/26/2009 11:48:56 AM - System Checkpoint
RP231: 11/27/2009 11:52:17 AM - System Checkpoint
RP232: 11/28/2009 12:36:56 PM - System Checkpoint
RP233: 11/29/2009 12:55:31 PM - System Checkpoint
RP234: 11/30/2009 1:46:50 PM - System Checkpoint
RP235: 12/1/2009 2:34:50 PM - System Checkpoint
RP236: 12/2/2009 2:35:55 PM - System Checkpoint
RP237: 12/3/2009 4:02:23 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP238: 12/3/2009 4:03:18 PM - Installed AVG Free 9.0
RP239: 12/4/2009 10:23:17 AM - Avg8 Update
RP240: 12/4/2009 10:24:07 AM - Avg8 Update
RP241: 12/6/2009 11:36:22 PM - System Checkpoint
RP242: 12/8/2009 12:18:06 AM - System Checkpoint
RP243: 12/10/2009 3:33:39 PM - System Checkpoint
RP244: 12/11/2009 12:57:43 PM - Avg8 Update
RP245: 12/11/2009 12:58:41 PM - Avg8 Update
RP246: 12/14/2009 4:21:34 PM - System Checkpoint
RP247: 12/19/2009 12:18:36 PM - Avg8 Update
RP248: 12/19/2009 12:30:43 PM - Removed AVG Free 9.0
RP249: 12/19/2009 12:31:44 PM - Installed AVG Free 9.0
RP250: 12/20/2009 12:48:55 PM - System Checkpoint

==== Installed Programs ======================

"Nero SoundTrax Help
32 Bit HP CIO Components Installer
7500_7600_7700_Help
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop Lightroom 2
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advertising Center
Apple Mobile Device Support
Apple Software Update
Bonjour
BPD_HPSU
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Connect
CustomerResearchQFolder
D-Link Wireless N USB Adapter DWA-130
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
DolbyFiles
DVD Flick 1.3.0.6
Energy Saver Advance B8.1015.1
ESET Online Scanner v3
eSupportQFolder
Fax
FireDaemon Pro Setup
Free DWG Viewer 6.2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
ImagXpress
iTunes
Java™ 6 Update 13
Korean Fonts Support For Adobe Reader 9
kuler
L7600
LightScribe System Software 1.14.17.1
Malwarebytes' Anti-Malware
MarketResearch
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.0.15)
MPM
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Nero 9
Nero Burning ROM Help
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
NeroLiveGadget
NeroLiveGadget Help
neroxml
NVIDIA Drivers
NVIDIA PhysX
PDF Settings CS4
Photoshop Camera Raw
ProductContext
QuickBooks Enterprise Solutions 8.0
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SolutionCenter
SoundTrax
Status
Suite Shared Configuration CS4
SupportSoft Assisted Service
Toolbox
TrayApp
Uninstall SCANTECH DVR Client
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VCRedistSetup
VLC media player 0.9.9
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/22/2009 6:03:30 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
12/19/2009 12:33:24 PM, error: Service Control Manager [7000] - The FireDaemon Service: HLDS service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 22 December 2009 - 06:54 PM

Hello.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    Driver::
    {6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9}
    {429C823E-AF65-4C64-9ACCFAAF1DF2FF21}
    File::
    c:\windows\temp\18ee.tmp
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"=-
    "3389:TCP"=-
    "65533:TCP"=-
    "52344:TCP"=-
    "2479:TCP"=-
    "3406:TCP"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GEST"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

--
Update Java to Version 6 Update 17

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for Java Runtime Environment (JRE) JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 23 December 2009 - 12:41 AM

Hello,

Here is the ComboFix log:



ComboFix 09-12-22.01 - User 12/22/2009 22:26:43.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2759 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

FILE ::
"c:\windows\temp\18ee.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{429C823E-AF65-4C64-9ACCFAAF1DF2FF21}
-------\Service_{429C823E-AF65-4C64-9ACCFAAF1DF2FF21}
-------\Service_{6A1FD1E8-F9A0-48CE-BD6784CF31CB36C9}


((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-04 16:56 . 2009-12-04 16:56 -------- d-----w- c:\program files\ESET
2009-12-04 16:55 . 2009-12-04 16:55 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-12-04 16:55 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 16:55 . 2009-12-04 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-04 16:55 . 2009-12-04 16:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 16:55 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 16:42 . 2009-12-04 16:42 -------- d-----w- C:\92d0b7c0719f9314f053de
2009-12-04 16:31 . 2009-12-04 16:31 -------- d-----w- c:\program files\Trend Micro
2009-12-03 21:03 . 2009-12-03 21:03 -------- d-----w- c:\program files\AVG
2009-12-03 15:26 . 2009-12-03 15:26 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-12-03 15:23 . 2009-12-03 15:23 -------- d-----w- c:\documents and settings\HelpAssistant\IGC
2009-11-28 03:25 . 2009-11-28 03:25 79488 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 03:21 . 2009-05-13 13:25 16608 ----a-w- c:\windows\gdrv.sys
2009-12-09 00:44 . 2009-06-03 21:14 -------- d-----w- c:\documents and settings\User\Application Data\U3
2009-11-23 19:56 . 2009-05-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-25 05:56 . 2004-08-04 12:00 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-21_18.47.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-23 03:21 . 2009-12-23 03:21 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2009-12-23 03:21 . 2009-12-23 03:21 16384 c:\windows\Temp\Perflib_Perfdata_4d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-26 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-5-13 972064]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2008-2-15 300320]
Wireless Connection Manager.lnk - c:\program files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe [2009-5-19 20512768]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [5/13/2009 8:26 AM 68136]
S2 HLDS;FireDaemon Service: HLDS;c:\program files\FireDaemon\FireDaemon.exe -s --> c:\program files\FireDaemon\FireDaemon.exe -s [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} - hxxp://68.239.81.172:8000/WebDvr3.cab
DPF: {D25A9538-F962-4501-9E68-D7C3DDECB148} - hxxp://72.66.127.28/template/xWebView2.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\vu3kjigr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 22:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2068)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-12-22 22:31:47
ComboFix-quarantined-files.txt 2009-12-23 03:31
ComboFix2.txt 2009-12-21 18:51

Pre-Run: 945,918,164,992 bytes free
Post-Run: 945,886,072,832 bytes free

- - End Of File - - 8173019A5B42F35A51AC4DC65087E438


Here is the Kaspersky log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, December 23, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, December 23, 2009 02:44:17
Records in database: 3401079
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 121390
Threats found: 2
Infected objects found: 16
Suspicious objects found: 0
Scan duration: 01:30:40


File name / Threat / Threats count
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\11\605c2ecb-3c72c27c Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\11\76fabacb-4633490e Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\17\3ca3cd51-15b1211c Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\34\4bb348e2-3414f68c Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-31c56e26 Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\50\77c3a532-2c2ddd4d Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-25d628a1 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\HelpAssistant\Application Data\Sun\Java\Deployment\cache\6.0\60\59af077c-6ead1dad Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\11\605c2ecb-3c72c27c Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\11\76fabacb-4633490e Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\17\3ca3cd51-15b1211c Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\34\4bb348e2-3414f68c Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\2fe44d2e-31c56e26 Infected: Trojan-Downloader.Java.OpenStream.ad 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\50\77c3a532-2c2ddd4d Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\57\4839f1b9-25d628a1 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\60\59af077c-6ead1dad Infected: Trojan-Downloader.Java.OpenConnection.at 1

Selected area has been scanned.


Here is the DDS log:



DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 0:35:29.01 on Wed 12/23/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2735 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\D-Link\D-Link Wireless N USB Adapter DWA-130\wirelesscm.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [nwiz] nwiz.exe /install
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link wireless n usb adapter dwa-130\wirelesscm.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {BA5E57BB-88D5-422A-AC9E-C01A6EEE2537} - hxxp://68.239.81.172:8000/WebDvr3.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D25A9538-F962-4501-9E68-D7C3DDECB148} - hxxp://72.66.127.28/template/xWebView2.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\vu3kjigr.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-5-13 68136]
S2 HLDS;FireDaemon Service: HLDS;c:\program files\firedaemon\firedaemon.exe -s --> c:\program files\firedaemon\FireDaemon.exe -s [?]

=============== Created Last 30 ================

2009-12-23 03:38:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-21 18:39:18 0 d-sha-r- C:\cmdcons
2009-12-21 18:38:42 98816 ----a-w- c:\windows\sed.exe
2009-12-21 18:38:42 77312 ----a-w- c:\windows\MBR.exe
2009-12-21 18:38:42 261632 ----a-w- c:\windows\PEV.exe
2009-12-21 18:38:42 161792 ----a-w- c:\windows\SWREG.exe
2009-12-04 16:56:08 0 d-----w- c:\program files\ESET
2009-12-04 16:55:26 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2009-12-04 16:55:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 16:55:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-04 16:55:19 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-04 16:55:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 16:42:40 0 d-----w- C:\92d0b7c0719f9314f053de
2009-12-04 16:31:30 0 d-----w- c:\program files\Trend Micro
2009-12-03 21:03:19 0 d-----w- c:\program files\AVG
2009-12-03 20:42:08 0 d-----w- c:\windows\pss

==================== Find3M ====================

2009-12-23 03:38:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-23 03:35:11 16608 ----a-w- c:\windows\gdrv.sys
2009-09-25 05:56:36 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 0:35:34.87 ===============



Finally, here is the Attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/13/2009 9:08:32 AM
System Uptime: 12/22/2009 10:34:38 PM (2 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | EP45-UD3LR
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz
Processor: Intel Pentium III Xeon processor | Socket 775 | 2333/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 932 GiB total, 880.734 GiB free.
D: is CDROM ()
E: is Removable
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP168: 9/22/2009 2:03:32 PM - System Checkpoint
RP169: 9/23/2009 2:40:25 PM - System Checkpoint
RP170: 9/24/2009 3:16:56 PM - System Checkpoint
RP171: 9/25/2009 3:20:23 PM - System Checkpoint
RP172: 9/26/2009 5:08:23 PM - System Checkpoint
RP173: 9/27/2009 5:24:26 PM - System Checkpoint
RP174: 9/28/2009 5:34:17 PM - System Checkpoint
RP175: 9/29/2009 6:16:30 PM - System Checkpoint
RP176: 9/30/2009 7:12:26 PM - System Checkpoint
RP177: 10/1/2009 8:28:39 PM - System Checkpoint
RP178: 10/2/2009 9:22:31 PM - System Checkpoint
RP179: 10/3/2009 10:24:23 PM - System Checkpoint
RP180: 10/4/2009 11:13:28 PM - System Checkpoint
RP181: 10/5/2009 11:24:23 PM - System Checkpoint
RP182: 10/7/2009 12:12:23 AM - System Checkpoint
RP183: 10/8/2009 12:24:23 AM - System Checkpoint
RP184: 10/9/2009 1:41:21 AM - System Checkpoint
RP185: 10/10/2009 2:09:25 AM - System Checkpoint
RP186: 10/11/2009 3:27:30 AM - System Checkpoint
RP187: 10/12/2009 4:20:15 AM - System Checkpoint
RP188: 10/13/2009 3:00:13 AM - Software Distribution Service 3.0
RP189: 10/14/2009 3:32:24 AM - System Checkpoint
RP190: 10/15/2009 3:00:13 AM - Software Distribution Service 3.0
RP191: 10/16/2009 3:17:50 AM - System Checkpoint
RP192: 10/17/2009 3:36:27 AM - System Checkpoint
RP193: 10/18/2009 4:24:27 AM - System Checkpoint
RP194: 10/19/2009 4:36:27 AM - System Checkpoint
RP195: 10/20/2009 5:24:27 AM - System Checkpoint
RP196: 10/21/2009 5:36:27 AM - System Checkpoint
RP197: 10/22/2009 6:24:27 AM - System Checkpoint
RP198: 10/23/2009 6:36:27 AM - System Checkpoint
RP199: 10/24/2009 8:19:21 AM - System Checkpoint
RP200: 10/25/2009 8:22:21 AM - System Checkpoint
RP201: 10/26/2009 8:29:12 AM - System Checkpoint
RP202: 10/27/2009 8:34:21 AM - System Checkpoint
RP203: 10/28/2009 11:07:58 AM - System Checkpoint
RP204: 10/29/2009 11:56:33 AM - System Checkpoint
RP205: 10/30/2009 12:34:21 PM - System Checkpoint
RP206: 10/31/2009 12:38:23 PM - System Checkpoint
RP207: 11/1/2009 1:38:23 PM - System Checkpoint
RP208: 11/2/2009 3:45:33 PM - System Checkpoint
RP209: 11/3/2009 3:50:05 PM - System Checkpoint
RP210: 11/4/2009 4:41:51 PM - System Checkpoint
RP211: 11/5/2009 5:26:23 PM - System Checkpoint
RP212: 11/6/2009 6:02:45 PM - System Checkpoint
RP213: 11/7/2009 6:37:09 PM - System Checkpoint
RP214: 11/8/2009 6:25:09 PM - System Checkpoint
RP215: 11/9/2009 7:05:43 PM - System Checkpoint
RP216: 11/10/2009 7:25:09 PM - System Checkpoint
RP217: 11/11/2009 7:37:09 PM - System Checkpoint
RP218: 11/12/2009 8:25:09 PM - System Checkpoint
RP219: 11/13/2009 8:57:54 PM - System Checkpoint
RP220: 11/14/2009 9:44:26 PM - System Checkpoint
RP221: 11/15/2009 10:26:16 PM - System Checkpoint
RP222: 11/16/2009 10:38:16 PM - System Checkpoint
RP223: 11/17/2009 11:43:02 PM - System Checkpoint
RP224: 11/19/2009 4:24:21 AM - System Checkpoint
RP225: 11/20/2009 4:26:16 AM - System Checkpoint
RP226: 11/21/2009 4:37:35 AM - System Checkpoint
RP227: 11/22/2009 4:48:56 AM - System Checkpoint
RP228: 11/23/2009 5:48:56 AM - System Checkpoint
RP229: 11/25/2009 10:57:40 AM - System Checkpoint
RP230: 11/26/2009 11:48:56 AM - System Checkpoint
RP231: 11/27/2009 11:52:17 AM - System Checkpoint
RP232: 11/28/2009 12:36:56 PM - System Checkpoint
RP233: 11/29/2009 12:55:31 PM - System Checkpoint
RP234: 11/30/2009 1:46:50 PM - System Checkpoint
RP235: 12/1/2009 2:34:50 PM - System Checkpoint
RP236: 12/2/2009 2:35:55 PM - System Checkpoint
RP237: 12/3/2009 4:02:23 PM - Removed Microsoft Visual C++ 2005 Redistributable
RP238: 12/3/2009 4:03:18 PM - Installed AVG Free 9.0
RP239: 12/4/2009 10:23:17 AM - Avg8 Update
RP240: 12/4/2009 10:24:07 AM - Avg8 Update
RP241: 12/6/2009 11:36:22 PM - System Checkpoint
RP242: 12/8/2009 12:18:06 AM - System Checkpoint
RP243: 12/10/2009 3:33:39 PM - System Checkpoint
RP244: 12/11/2009 12:57:43 PM - Avg8 Update
RP245: 12/11/2009 12:58:41 PM - Avg8 Update
RP246: 12/14/2009 4:21:34 PM - System Checkpoint
RP247: 12/19/2009 12:18:36 PM - Avg8 Update
RP248: 12/19/2009 12:30:43 PM - Removed AVG Free 9.0
RP249: 12/19/2009 12:31:44 PM - Installed AVG Free 9.0
RP250: 12/20/2009 12:48:55 PM - System Checkpoint
RP251: 12/22/2009 10:33:07 PM - Removed Java™ 6 Update 13
RP252: 12/22/2009 10:38:09 PM - Installed Java™ 6 Update 17

==== Installed Programs ======================

"Nero SoundTrax Help
32 Bit HP CIO Components Installer
7500_7600_7700_Help
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop Lightroom 2
Adobe Reader 9.1
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advertising Center
Apple Mobile Device Support
Apple Software Update
Bonjour
BPD_HPSU
BPD_Scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Connect
CustomerResearchQFolder
D-Link Wireless N USB Adapter DWA-130
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
DolbyFiles
DVD Flick 1.3.0.6
Energy Saver Advance B8.1015.1
ESET Online Scanner v3
eSupportQFolder
Fax
FireDaemon Pro Setup
Free DWG Viewer 6.2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Solution Center 8.0
HP Update
HPProductAssistant
HPSSupply
ImagXpress
iTunes
Java™ 6 Update 17
Korean Fonts Support For Adobe Reader 9
kuler
L7600
LightScribe System Software 1.14.17.1
Malwarebytes' Anti-Malware
MarketResearch
Menu Templates - Starter Kit
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Movie Templates - Starter Kit
Mozilla Firefox (3.0.15)
MPM
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Nero 9
Nero Burning ROM Help
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express Help
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
NeroLiveGadget
NeroLiveGadget Help
neroxml
NVIDIA Drivers
NVIDIA PhysX
PDF Settings CS4
Photoshop Camera Raw
ProductContext
QuickBooks Enterprise Solutions 8.0
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SolutionCenter
SoundTrax
Status
Suite Shared Configuration CS4
SupportSoft Assisted Service
Toolbox
TrayApp
Uninstall SCANTECH DVR Client
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VCRedistSetup
VLC media player 0.9.9
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Presentation Foundation
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/22/2009 7:54:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the SamSs service.
12/22/2009 7:54:07 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ProtectedStorage service.
12/22/2009 7:53:36 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the PolicyAgent service.
12/22/2009 6:03:30 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
12/21/2009 1:47:23 PM, error: Service Control Manager [7000] - The FireDaemon Service: HLDS service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

#14 vphn

vphn
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 23 December 2009 - 01:09 AM

My computer seems to be running fine now. No problems so far. Hope it stays that way.

Do the logs look alright to you?

Regardless, thank you very much for spending all these hours/days helping me. Hope you have a great holiday!

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:07 AM

Posted 23 December 2009 - 11:34 AM

Yes, it looks good.

Just please install an anti-virus software.

Install Antivirus

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:Update It after the installation is complete please.

Then clear your cache: http://fxtrade.oanda.com/support/troubleshooting/clear_cache

--
Now we can wrap up.

Please follow/read the steps below to remove the tools we used and for some more information. :)


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :) :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :(


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users