HijackThis Log: Please help Diagnose

Hi there!

My dad is having problems with this computer slowing down and Internet Explorer tabs dissappearing when trying to open them. CA antivirus keeps detecting "Win32/ZAccess.ED" and deleting it, but it pops up again 5 minutes later saying that it has detected/deleted it again.

He is not the most computer savvy person so unsure whether he might have downloaded something from email without realising it.

Any help much appreciated! Thanks!

----------------

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:28:38 PM, on 20/06/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\Program Files\Zune\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJP.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\casc.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files\Epson Software\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EPSON NX130 TX130 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJP.EXE /FU "C:\WINDOWS\TEMP\E_S71.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ABBYY FineReader 9.0 Sprint Licensing Service (ABBYY.Licensing.FineReader.Sprint.9.0) - ABBYY - C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10326 bytes

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Hi Mole! Thanks so much for your reply.
Here is the DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Brian at 16:43:26 on 2012-06-25
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uDefault_Page_URL = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
uRun: [Google Update] "c:\documents and settings\brian\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EPSON NX130 TX130 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatihjp.exe /fu "c:\windows\temp\E_S71.tmp" /EF "HKCU"
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe
mRun: [CAVRID] "c:\program files\ca\etrust vet antivirus\CAVRID.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol70t~1.lnk - c:\program files\aol 7.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-explorer: <NO NAME> =
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
TCP: Interfaces\{5C274761-EE60-4157-AAB5-47188655D70D} : DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-06-14 06:43:24 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
.
==================== Find3M ====================
.
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2008-01-05 00:34:55 2243840 ----a-w- c:\program files\FoxitReader22_setup.exe
2005-03-28 09:03:26 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe
2005-03-28 09:01:12 6811904 ----a-w- c:\program files\psa2011se_us.exe
.
============= FINISH: 16:44:59.98 ===============

I downloaded and ran the DeFogger program, however it did not prompt me to restart my computer as the instructions said that it would... so I restarted the computer manually.

I had a problem turning the CA antivirus off - namely, I couldn't figure out how to. Even internet searches were unhelpful - they kept telling me to left click on the icon on the system tray, only it doesn't appear to be in the system tray.

I tried skipping that part and turning internet (router) off and running GMER, but it has now been going for over 4 hours and I unfortunately have to leave my dad's now. I didn't realise how long it would take - is it suppose to take several hours?

I will try to run GMER next time I am here for a long period of time you would like me to try it again.

Thanks again for your help.

Can you run aswMBR, we are looking at a rootkit here and need to find out which variant we are dealing with

Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

This topic has been re-opened at the request of the person who originally posted.

Thanks very much for your understanding in my situation, Mole!

The first time I ran the aswMBR, the computer crashed and gave me a blue screen saying:

"A problem has been detected and windows has been shut down to prevent damage to your computer
IRQL_NOT_LESS_OR_EQUAL
Techinical information:
*** STOP: 0x0000000A (0x00FB3036, 0x0000001C, 0x00000000, 0x804E5E11)
Blah blah press F8 at startup to start in safe mode if this happens again...
Beggining dump of physical memory
Physical memory dump complete"

This is the first time we have seen the blue screen to my knowledge.

I restarted and ran aswMBR again, with no problems. Here is the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-02 12:54:51
-----------------------------
12:54:51.953 OS Version: Windows 5.1.2600 Service Pack 3
12:54:51.953 Number of processors: 2 586 0x304
12:54:51.953 ComputerName: BRIANOFFICE UserName: Brian
12:54:53.046 Initialize success
12:54:57.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:54:57.703 Disk 0 Vendor: ST340014A 3.16 Size: 38146MB BusType: 3
12:54:57.734 Disk 0 MBR read successfully
12:54:57.734 Disk 0 MBR scan
12:54:57.734 Disk 0 Windows XP default MBR code
12:54:57.765 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
12:54:57.781 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38107 MB offset 64260
12:54:57.812 Disk 0 scanning sectors +78108030
12:54:57.953 Disk 0 scanning C:\WINDOWS\system32\drivers
12:55:14.828 Service scanning
12:55:50.453 Modules scanning
12:56:06.828 Disk 0 trace - called modules:
12:56:06.859 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
12:56:06.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7dcab8]
12:56:06.859 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a840d98]
12:56:06.859 Scan finished successfully
12:56:24.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brian\Desktop\MBR.dat"
12:56:24.468 The log file has been saved successfully to "C:\Documents and Settings\Brian\Desktop\aswMBR.txt"

I think it might be worth trying something a bit more powerful to check these boot problems

Please download ComboFix from one of these locations:

• Bleepingcomputer
• ForoSpyware

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

• Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Comfix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I have followed the instructions on how to snooze CA antivirus (though this version is slightly different to the instructions), but even after that, the comfix.exe program keeps prompting:

"Warning ComboFix cannot run when CA Antivirus is installed. It would be dangerous to continue. Please uninstall CA Antivirus or use another tool."

And then disappears once I click ok...

Can you uninstall CA while we check the system?

I uninstalled CA antivirus and ran ComboFix. It needed to install the Windows Recovery Console. After ComboFix rebooted the machine and reran, where it told me:

"You are infected with Rootkit.ZeroAccess! It inserted itself into the tcp/ip stack. This is a particularly difficult infection..."

Here is the log:

-----------------------------------

ComboFix 12-07-02.01 - Brian 04/07/2012 18:03:22.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1732 [GMT 10:00]
Running from: c:\documents and settings\Brian\Desktop\comfix.exe.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Brian\Local Settings\Temporary Internet Files\stb06759.tmp
C:\install.exe
c:\program files\psa2011se_us.exe
c:\windows\$NtUninstallKB57213$
c:\windows\$NtUninstallKB57213$\1578991968\@
c:\windows\$NtUninstallKB57213$\1578991968\bckfg.tmp
c:\windows\$NtUninstallKB57213$\1578991968\cfg.ini
c:\windows\$NtUninstallKB57213$\1578991968\Desktop.ini
c:\windows\$NtUninstallKB57213$\1578991968\keywords
c:\windows\$NtUninstallKB57213$\1578991968\kwrd.dll
c:\windows\$NtUninstallKB57213$\1578991968\L\asobptkf
c:\windows\$NtUninstallKB57213$\1578991968\U\00000001.@
c:\windows\$NtUninstallKB57213$\1578991968\U\00000002.@
c:\windows\$NtUninstallKB57213$\1578991968\U\00000004.@
c:\windows\$NtUninstallKB57213$\1578991968\U\80000000.@
c:\windows\$NtUninstallKB57213$\1578991968\U\80000004.@
c:\windows\$NtUninstallKB57213$\1578991968\U\80000032.@
c:\windows\$NtUninstallKB57213$\2453514568
c:\windows\_iserr31.ini
c:\windows\assembly\GAC\Desktop.ini
c:\windows\help\wmplayer.bak
c:\windows\system32\CddbCdda.dll
c:\windows\system32\comrepl.exe
c:\windows\system32\SET70.tmp
c:\windows\system32\SET75.tmp
c:\windows\system32\tmp.reg
.
.
((((((((((((((((((((((((( Files Created from 2012-06-04 to 2012-07-04 )))))))))))))))))))))))))))))))
.
.
2012-06-14 14:10 . 2012-06-14 14:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-06-14 06:43 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 07:15 . 2012-06-11 07:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-06-10 23:48 . 2012-06-10 23:48 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 05:19 . 2007-06-20 23:11 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:19 . 2007-06-20 23:11 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:19 . 2004-09-06 09:38 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:19 . 2004-09-06 09:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:19 . 2004-09-06 09:38 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:19 . 2007-06-20 23:11 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:19 . 2005-05-25 18:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:19 . 2004-09-06 09:38 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:19 . 2002-08-28 21:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:19 . 2002-08-28 21:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:19 . 2007-06-20 23:11 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:19 . 2004-09-06 09:38 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:19 . 2002-08-28 21:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:18 . 2011-12-09 03:19 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:18 . 2011-12-09 03:19 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 05:18 . 2011-12-09 03:19 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-06-01 11:36 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-02-06 10:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-28 21:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-08-28 21:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-08-28 21:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16 . 1979-12-31 16:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 1979-12-31 16:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2002-08-28 21:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2008-01-05 00:34 . 2008-01-05 00:34 2243840 ----a-w- c:\program files\FoxitReader22_setup.exe
2005-03-28 09:03 . 2005-03-28 09:01 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 229376]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 135264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-08-29 979328]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [N/A]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DVDSentry"=c:\windows\System32\DSentry.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
.
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [14/05/2009 5:07 PM 759048]
S0 ipbm;ipbm;c:\windows\system32\drivers\sengmsn.sys --> c:\windows\system32\drivers\sengmsn.sys [?]
S1 MpKsl454df8e0;MpKsl454df8e0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1EB52141-35C6-4DD6-952C-E4740E798D0D}\MpKsl454df8e0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1EB52141-35C6-4DD6-952C-E4740E798D0D}\MpKsl454df8e0.sys [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [5/08/2011 12:30 PM 268512]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 07:57]
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533214266-4234210082-3926933026-1007Core.job
- c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 00:41]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533214266-4234210082-3926933026-1007UA.job
- c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 00:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-04 18:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3352)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-07-04 18:30:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-04 08:30
.
Pre-Run: 5,152,432,128 bytes free
Post-Run: 6,754,267,136 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 9ED8EF4F2BD2FE0D3D7C800F763C5C0F


Can I reinstall the CA antivirus now? Or is there more to go? We haven't actually had the problem with the Internet Explorer tabs dissappearing for about a week now, but the last time we ran the antivirus it picked up more of the Win32/ZAccess.ED, so am guessing it wasn't gone at that stage (before running ComboFix at least).

Thanks again for all your help.

The ZeroAccess rootkit needs sorting out first. The Uninstall folders in the Combofix log are all ZeroAccess. Please run Combofix so we can remove the malicious driver (this has been stopped but needs to go)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Rootkit::
c:\windows\system32\drivers\sengmsn.sys

Driver::
ipbm

Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ComboFix 12-07-04.04 - Brian 05/07/2012 10:31:12.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1680 [GMT 10:00]
Running from: c:\documents and settings\Brian\Desktop\comfix.exe.exe
Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ipbm
.
.
((((((((((((((((((((((((( Files Created from 2012-06-05 to 2012-07-05 )))))))))))))))))))))))))))))))
.
.
2012-06-14 14:10 . 2012-06-14 14:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-06-14 06:43 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-11 07:15 . 2012-06-11 07:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-06-10 23:48 . 2012-06-10 23:48 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 05:19 . 2007-06-20 23:11 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 05:19 . 2007-06-20 23:11 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 05:19 . 2004-09-06 09:38 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 05:19 . 2004-09-06 09:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 05:19 . 2004-09-06 09:38 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 05:19 . 2007-06-20 23:11 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 05:19 . 2005-05-25 18:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 05:19 . 2004-09-06 09:38 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 05:19 . 2002-08-28 21:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 05:19 . 2002-08-28 21:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 05:19 . 2007-06-20 23:11 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 05:19 . 2004-09-06 09:38 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 05:19 . 2002-08-28 21:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 05:18 . 2011-12-09 03:19 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 05:18 . 2011-12-09 03:19 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 05:18 . 2011-12-09 03:19 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-06-01 11:36 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-02-06 10:05 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2002-08-28 21:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-08-28 21:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-08-28 21:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:16 . 1979-12-31 16:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 1979-12-31 16:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2002-08-28 21:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2008-01-05 00:34 . 2008-01-05 00:34 2243840 ----a-w- c:\program files\FoxitReader22_setup.exe
2005-03-28 09:03 . 2005-03-28 09:01 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-06-15 229376]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-26 204800]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-02 135264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-08-29 979328]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [N/A]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DVDSentry"=c:\windows\System32\DSentry.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [14/05/2009 5:07 PM 759048]
S1 MpKsl454df8e0;MpKsl454df8e0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1EB52141-35C6-4DD6-952C-E4740E798D0D}\MpKsl454df8e0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1EB52141-35C6-4DD6-952C-E4740E798D0D}\MpKsl454df8e0.sys [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [5/08/2011 12:30 PM 268512]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 07:57]
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533214266-4234210082-3926933026-1007Core.job
- c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 00:41]
.
2012-07-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1533214266-4234210082-3926933026-1007UA.job
- c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-27 00:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
TCP: DhcpNameServer = 211.29.152.116 198.142.0.51 211.29.132.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-05 10:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-07-05 10:46:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-05 00:46
ComboFix2.txt 2012-07-04 08:30
.
Pre-Run: 6,765,748,224 bytes free
Post-Run: 6,653,546,496 bytes free
.
- - End Of File - - 7404FE201531CCF7EEAE27C6FD378CDE

That's cleaned that.

I would like to run ESET's online scanner next

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Under scan settings, check and check Remove found threats
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• Copy and paste the resulting log in your next reply

If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.


When that's posted then please reinstall CA and run a scan. Do you still get that file flagged?