BleepingComputer.com: WHS infected?

Hi Eric,

You can try it, but I'm not 100% sure it's Spybot.

There's a ton of entries to go through....some are recognizable at a glance, but others are questionable. I'd like to have this one analyzed, please:

Please navigate to the following file: f:\windows\system32\dllcache\xlog.exe

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea

Hi Teacup,

Here ya go!

http://www.virustotal.com/analisis/e0f5aa1...2cab-1244656884

Thanks,
Eric

Thanks.......

Did you try the Spybot thing? My apologies, but I thought you were going to try that. I must have misunderstood.

tea

Tea,

So I uninstalled spybot, and ran combofix and hjt. Here are the logs. Sorry I had misunterstood you before!

Eric

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:12 PM, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Creative\Shared Files\CTAudSvc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Windows Home Server\WHSConnector.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Palm\Hotsync.exe
F:\Program Files\SqueezeCenter\SqueezeTray.exe
F:\Program Files\Windows Home Server\WHSTrayApp.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\notepad.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BrowserHelper Class - {9A065C65-4EE7-4DDD-9918-F129089A894A} - F:\Program Files\Windows Home Server\WHSDeskBands.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Home Server Banner - {D73E76A3-F902-45BD-8FC8-95AE8E014671} - F:\Program Files\Windows Home Server\WHSDeskBands.dll
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CXMon] "F:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = F:\Program Files\Belkin\F5D8001v2\Belkinwcui.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = F:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = F:\Program Files\SqueezeCenter\SqueezeTray.exe
O4 - Global Startup: Windows Home Server.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191385614654
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FC6703A7-5B7E-4f58-BE6D-2693AA3906AE} (HP Content Update) - http://h30155.www3.hp.com/ediags/hpna/66/i...hp.cab?1,0,0,94
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - F:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - F:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - F:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - F:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - F:\Program Files\Common Files\element5 Share`\Service\Licence Manager ESD.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SqueezeMySQL - Unknown owner - F:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe

--
End of file - 8016 bytes

ComboFix 09-10-06.04 - E 10/07/2009 18:44.4.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1388 [GMT -7:00]
Running from: F:\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 091007-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\docume~1\E\LOCALS~1\Temp\pdk-E\054a515a11c7920cfc4d7faea7af4932\XS.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\0fdf6651ec58af7738a5f192a16308f3\WinError.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\14f8cfecb15e1c87916789ed739489ff\Expat.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\1c4c331123ae5269fbd179de68e18722\Socket.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\37dbb36b1afb4153f311e1937d13beb9\Win32.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\4698d6dad1d9192f189448cd2250e41c\Registry.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\480ac5427cb6705921c199c825f6feda\File.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\531074183cd92c8ee6e38095fed64379\Detector.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\563d7ead40b59c49009856a0b10f2014\Array.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\5665e9d91ffd5329b4b069811edd98e1\XS.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\5f4010392d26de2972604a5df777f946\perl58.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\619eb23c53abde1a9d9d6b8d81ccd746\Util.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\6b58dab08175faa9470d9b8f08345f77\Byte.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\6ecc81286663495601d2499da7def595\Zlib.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\776043a051266bed6315875a8a879b49\GD.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\804a82b53759189a7786eee16508a628\Unicode.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\8715287e64467664fda73ee36a680ad6\ReadKey.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\899240261dde99660e14431e6d8d1fe9\DBI.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\8d9ba91df5b696882e70aa59f4766acb\Storable.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\93e8018418e0dd3aeabcea5210c424d9\IO.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\95e9a2327e375c6b6f41bca6adf49352\Registry.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\9e11e8cf40c66b8d30f95ce783f2ac0b\Hostname.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\a507fccf2be25b878761a66bf411c201\mysql.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\ad76515ff4d1de346e3888790190a3c0\API.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b2a041897a5d2e9486f60c2f6017af23\Peek.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b44b56de153a5879c1b84993c5cdadfa\Shortcut.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\b5ac0b87ff26ec339558537436e82acd\HiRes.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\baf7b671cd22e344218d4404c5715954\FileSecurity.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\bbd2dcfa51103025d57caa776bc1047b\B.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c0bb48510a66e6fdcb5936be6801222d\MD5.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c147fa650a1a0662dceef2f7ea370a7d\List.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c537490a8d5597db7ef38c63a14dd378\Base64.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\cd6be9554293967a36ad1075b097a79b\OLE.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\e51718032942dd5fb4b1590be1ec8d83\Process.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\ea8f9cce13d067ab0d898ca399b403ed\Fcntl.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
f:\docume~1\E\LOCALS~1\Temp\pdk-E\fb2e449d6244301907de33f5adebdb35\POSIX.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\054a515a11c7920cfc4d7faea7af4932\XS.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\0fdf6651ec58af7738a5f192a16308f3\WinError.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\12913763d8b9f06d2ca82771fcb306f1\Parser.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\14f8cfecb15e1c87916789ed739489ff\Expat.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\1c4c331123ae5269fbd179de68e18722\Socket.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\37dbb36b1afb4153f311e1937d13beb9\Win32.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\463172d63e5c347ebd2a2c9f3e30a769\Cwd.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\4698d6dad1d9192f189448cd2250e41c\Registry.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\480ac5427cb6705921c199c825f6feda\File.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\4e2f70cf514e42eb8319b6c42723ed06\Dumper.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\514f58c7649fa1fe7afd0239e90bf91d\SHA1.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\531074183cd92c8ee6e38095fed64379\Detector.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\563d7ead40b59c49009856a0b10f2014\Array.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\5665e9d91ffd5329b4b069811edd98e1\XS.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\5f4010392d26de2972604a5df777f946\perl58.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\619eb23c53abde1a9d9d6b8d81ccd746\Util.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\6b58dab08175faa9470d9b8f08345f77\Byte.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\6ecc81286663495601d2499da7def595\Zlib.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\776043a051266bed6315875a8a879b49\GD.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\804a82b53759189a7786eee16508a628\Unicode.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\8715287e64467664fda73ee36a680ad6\ReadKey.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\899240261dde99660e14431e6d8d1fe9\DBI.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\8d9ba91df5b696882e70aa59f4766acb\Storable.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\93e8018418e0dd3aeabcea5210c424d9\IO.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\95e9a2327e375c6b6f41bca6adf49352\Registry.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\9e11e8cf40c66b8d30f95ce783f2ac0b\Hostname.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\a507fccf2be25b878761a66bf411c201\mysql.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\ad76515ff4d1de346e3888790190a3c0\API.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b1ef31ab16378a4b392b3d07f25c074a\Service.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b2a041897a5d2e9486f60c2f6017af23\Peek.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b44b56de153a5879c1b84993c5cdadfa\Shortcut.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\b5ac0b87ff26ec339558537436e82acd\HiRes.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\baf7b671cd22e344218d4404c5715954\FileSecurity.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\bbd2dcfa51103025d57caa776bc1047b\B.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c0bb48510a66e6fdcb5936be6801222d\MD5.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c147fa650a1a0662dceef2f7ea370a7d\List.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c537490a8d5597db7ef38c63a14dd378\Base64.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\c92f1c7d4396f53f4c5d352e2bd8c9a9\Syck.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\cd6be9554293967a36ad1075b097a79b\OLE.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\e247dd11d21a2bfdb97ad0cdd295b32d\Encode.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\e51718032942dd5fb4b1590be1ec8d83\Process.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\ea8f9cce13d067ab0d898ca399b403ed\Fcntl.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\fa142febd5dc53f93f911452e1a99387\Hebrew.dll
f:\documents and settings\E\Local Settings\Temp\pdk-E\fb2e449d6244301907de33f5adebdb35\POSIX.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-08 01:42 . 2009-10-08 01:42 3327820 ----a-r- F:\ComboFix.exe
2009-09-30 01:03 . 2009-09-30 01:03 -------- d-----w- f:\documents and settings\All Users\Application Data\F-Secure
2009-09-28 21:36 . 2008-04-14 00:12 116224 -c--a-w- f:\windows\system32\dllcache\xrxwiadr.dll
2009-09-28 21:36 . 2001-08-18 05:36 23040 -c--a-w- f:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-28 21:36 . 2008-04-14 00:12 18944 -c--a-w- f:\windows\system32\dllcache\xrxscnui.dll
2009-09-28 21:36 . 2001-08-18 05:37 27648 -c--a-w- f:\windows\system32\dllcache\xrxftplt.exe
2009-09-28 21:36 . 2001-08-18 05:37 4608 -c--a-w- f:\windows\system32\dllcache\xrxflnch.exe
2009-09-28 21:36 . 2001-08-18 05:37 99865 -c--a-w- f:\windows\system32\dllcache\xlog.exe
2009-09-28 21:36 . 2001-08-17 19:11 16970 -c--a-w- f:\windows\system32\dllcache\xem336n5.sys
2009-09-28 21:36 . 2004-08-04 05:29 19455 -c--a-w- f:\windows\system32\dllcache\wvchntxx.sys
2009-09-28 21:36 . 2008-04-13 18:46 19200 -c--a-w- f:\windows\system32\dllcache\wstcodec.sys
2009-09-28 21:36 . 2004-08-04 05:29 12063 -c--a-w- f:\windows\system32\dllcache\wsiintxx.sys
2009-09-28 21:36 . 2008-04-14 00:12 8192 -c--a-w- f:\windows\system32\dllcache\wshirda.dll
2009-09-28 21:36 . 2008-04-13 18:36 8832 -c--a-w- f:\windows\system32\dllcache\wmiacpi.sys
2009-09-28 21:34 . 2008-04-13 18:46 15232 -c--a-w- f:\windows\system32\dllcache\streamip.sys
2009-09-28 21:33 . 2001-08-17 20:52 49024 -c--a-w- f:\windows\system32\dllcache\ql1280.sys
2009-09-28 21:32 . 2001-08-17 19:50 103296 -c--a-w- f:\windows\system32\dllcache\mtxvideo.sys
2009-09-28 21:31 . 2008-04-14 00:09 6144 -c--a-w- f:\windows\system32\dllcache\kbd106.dll
2009-09-28 21:30 . 2001-08-17 19:15 442240 -c--a-w- f:\windows\system32\dllcache\fpnpbase.sys
2009-09-28 21:29 . 2008-04-13 18:40 8192 -c--a-w- f:\windows\system32\dllcache\changer.sys
2009-09-28 21:28 . 2004-08-04 05:32 10880 -c--a-w- f:\windows\system32\dllcache\admjoy.sys
2009-09-28 05:22 . 2009-09-10 21:54 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 05:22 . 2009-09-28 05:22 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2009-09-28 05:22 . 2009-09-10 21:53 19160 ----a-w- f:\windows\system32\drivers\mbam.sys
2009-09-28 05:22 . 2009-09-28 05:22 4045528 ----a-w- F:\mbam-setup.exe
2009-09-28 00:33 . 2009-09-28 00:33 -------- d-----w- f:\program files\File Shredder
2009-09-28 00:33 . 2009-09-28 00:33 1221104 ----a-w- F:\file_shredder_setup.exe
2009-09-27 19:53 . 2009-09-27 19:54 -------- d-----w- f:\documents and settings\E\Application Data\HpUpdate
2009-09-27 19:53 . 2009-09-27 19:53 -------- d-----w- f:\windows\Hewlett-Packard
2009-09-26 08:26 . 2009-09-26 08:26 -------- d-----w- F:\Windows Home Server Drivers for Restore
2009-09-24 05:47 . 2009-09-24 05:47 54624 ----a-w- f:\windows\system32\0fb2.sys
2009-09-12 17:02 . 2009-09-12 17:02 737280 ----a-w- f:\windows\iun6002.exe
2009-09-12 17:02 . 2009-09-12 17:02 628832 ----a-w- F:\pdsetup.exe
2009-09-11 14:14 . 2009-09-11 14:14 1925024 ----a-w- F:\install_flash_player.exe
2009-09-10 04:25 . 2009-09-10 04:25 -------- d-----w- F:\Shares
2009-09-09 03:38 . 2009-09-09 03:38 -------- d-----w- f:\program files\MSECache
2009-09-09 03:38 . 2009-09-09 03:38 28868320 ----a-w- F:\FileFormatConverters.exe
2009-09-09 03:02 . 2009-09-09 03:02 -------- d-----w- f:\program files\iPod
2009-09-09 03:02 . 2009-09-09 03:02 -------- d-----w- f:\program files\iTunes
2009-09-09 03:01 . 2009-09-09 03:01 -------- d-----w- f:\program files\Bonjour
2009-09-09 03:00 . 2009-09-09 03:01 -------- d-----w- f:\program files\QuickTime
2009-09-09 02:59 . 2009-09-09 03:00 -------- d-----w- f:\program files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 01:29 . 2007-10-08 08:00 -------- d-----w- f:\program files\Spybot - Search & Destroy
2009-10-08 01:28 . 2007-10-08 08:00 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-02 02:19 . 2008-07-14 18:35 -------- d-----w- f:\program files\Palm
2009-09-27 19:54 . 2007-10-13 20:43 -------- d-----w- f:\program files\HP
2009-09-24 05:53 . 2007-10-03 04:54 28920 ----a-w- f:\documents and settings\E\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-21 16:14 . 2007-10-15 05:43 -------- d-----w- f:\program files\Common Files\Apple
2009-09-20 18:58 . 2009-09-06 20:41 90112 ----a-w- f:\windows\DUMP4527.tmp
2009-09-12 20:35 . 2009-08-25 04:41 -------- d-----w- f:\documents and settings\E\Application Data\Winamp
2009-09-10 04:25 . 2009-02-04 06:02 -------- d-----w- f:\program files\Windows Home Server
2009-09-09 01:32 . 2007-10-03 04:59 -------- d--h--w- f:\program files\InstallShield Installation Information
2009-09-08 01:37 . 2009-09-08 01:37 -------- d-----w- f:\program files\Trend Micro
2009-09-08 01:37 . 2009-09-08 01:36 812344 ----a-w- F:\HijackThisInstaller.exe
2009-09-08 01:29 . 2009-09-08 01:29 -------- d-----w- f:\program files\ERUNT
2009-09-08 01:28 . 2009-09-08 01:28 791393 ----a-w- F:\erunt-setup.exe
2009-09-08 01:18 . 2009-09-08 01:18 -------- d-----w- f:\documents and settings\E\Application Data\InstallShield
2009-09-08 01:10 . 2009-09-08 01:10 16409960 ----a-w- F:\spybotsd162.exe
2009-09-07 05:21 . 2009-01-31 05:08 -------- d-----w- f:\program files\Common Files\Wise Installation Wizard
2009-09-07 05:21 . 2009-08-22 21:06 -------- d-----w- f:\documents and settings\E\Application Data\SUPERAntiSpyware.com
2009-09-07 05:21 . 2009-08-22 21:06 -------- d-----w- f:\program files\SUPERAntiSpyware
2009-09-07 05:17 . 2009-09-07 05:17 3293992 ----a-w- F:\ccsetup223.exe
2009-09-06 20:44 . 2009-09-06 20:44 308160 ----a-w- F:\avast_pro_setup.exe
2009-08-25 04:41 . 2007-10-03 06:53 -------- d-----w- f:\program files\Winamp
2009-08-25 04:39 . 2009-08-25 04:39 14224112 ----a-w- F:\winamp556_full_emusic-7plus_all.exe
2009-08-25 04:06 . 2009-08-25 04:06 803 ----a-w- f:\program files\CoreTemp.ini
2009-08-25 04:06 . 2009-08-25 04:06 11 ----a-w- f:\program files\Plugins.ini
2009-08-24 05:04 . 2009-08-24 05:04 -------- d-----w- f:\documents and settings\E\Application Data\IObit
2009-08-24 05:04 . 2009-08-24 05:04 -------- d-----w- f:\program files\IObit
2009-08-24 05:03 . 2009-08-24 05:03 3021976 ----a-w- F:\DefragSetup.exe
2009-08-24 04:45 . 2009-08-24 04:45 -------- d-----w- f:\program files\EASEUS
2009-08-24 04:26 . 2007-10-05 04:13 -------- d-----w- f:\program files\ATITool
2009-08-24 04:22 . 2007-10-12 16:49 -------- d-----w- f:\program files\Logitech
2009-08-24 04:12 . 2007-11-16 17:03 -------- d-----w- f:\documents and settings\Administrator\Application Data\Logitech
2009-08-24 04:12 . 2007-10-12 16:50 -------- d-----w- f:\documents and settings\E\Application Data\Logitech
2009-08-24 04:12 . 2007-10-12 16:50 -------- d-----w- f:\documents and settings\All Users\Application Data\Logitech
2009-08-24 03:59 . 2008-10-31 18:57 -------- d-----w- f:\program files\Yahoo!
2009-08-24 03:58 . 2008-01-03 02:36 -------- d-----w- f:\program files\Acoustica Spin It Again
2009-08-24 02:10 . 2009-08-24 02:10 654920 ----a-w- F:\mtinst(2).exe
2009-08-23 19:27 . 2007-10-12 07:33 -------- d-----w- f:\program files\Java
2009-08-23 18:53 . 2009-08-23 18:52 126233 ----a-w- F:\MGlogs.zip
2009-08-23 12:02 . 2009-08-20 04:08 90112 ----a-w- f:\windows\DUMP57a5.tmp
2009-08-22 23:24 . 2009-08-22 23:24 -------- d-----w- f:\documents and settings\E\Application Data\Malwarebytes
2009-08-22 23:24 . 2009-08-22 23:24 -------- d-----w- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-22 23:20 . 2009-08-22 23:20 -------- d-----w- f:\documents and settings\All Users\Application Data\Windows Home Server
2009-08-22 21:26 . 2009-08-22 21:25 8050536 ----a-w- F:\Firefox Setup 3.5.2.exe
2009-08-22 21:06 . 2009-08-22 21:06 -------- d-----w- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-22 21:05 . 2009-08-22 21:05 1344235 ----a-w- F:\MGtools.exe
2009-08-22 20:48 . 2008-10-31 18:57 -------- d-----w- f:\program files\CCleaner
2009-08-21 04:28 . 2007-12-14 16:35 -------- d-----w- f:\program files\Common Files\Logishrd
2009-08-20 15:43 . 2009-08-20 15:43 229208 ----a-w- f:\windows\system32\drivers\VMM.sys
2009-08-17 16:10 . 2009-09-06 20:48 1279456 ----a-w- f:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-09-06 20:48 93392 ----a-w- f:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-09-06 20:48 94160 ----a-w- f:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-09-06 20:48 114768 ----a-w- f:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-09-06 20:48 20560 ----a-w- f:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-09-06 20:48 51376 ----a-w- f:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-09-06 20:48 23152 ----a-w- f:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-09-06 20:48 26944 ----a-w- f:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-09-06 20:48 97480 ----a-w- f:\windows\system32\AvastSS.scr
2009-08-05 19:48 . 2009-08-05 19:48 378384 ----a-w- f:\program files\Core Temp.exe
2009-08-05 09:01 . 2001-08-23 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2001-08-23 12:00 81920 ----a-w- f:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2001-08-23 12:00 119808 ----a-w- f:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2001-08-23 12:00 58880 ----a-w- f:\windows\system32\atl.dll
2009-07-14 06:43 . 2004-08-04 07:56 286208 ------w- f:\windows\system32\wmpdxm.dll
2001-08-23 12:00 . 2001-08-23 12:00 94784 --sh--w- f:\windows\twain.dll
2008-04-14 00:12 . 2001-08-23 12:00 50688 --sh--w- f:\windows\twain_32.dll
2006-10-27 19:40 . 2006-10-27 19:40 12288 --sh--w- f:\windows\Twunk_16.dll
2006-10-27 19:40 . 2006-10-27 19:40 12288 --sh--w- f:\windows\Twunk_32.dll
2008-04-14 00:11 . 2001-08-23 12:00 1028096 --sha-w- f:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2001-08-23 12:00 57344 --sh--w- f:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2001-08-23 12:00 413696 --sha-w- f:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2001-08-23 12:00 551936 --sh--w- f:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2001-08-23 12:00 84992 --sha-w- f:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2001-08-23 12:00 11776 --sh--w- f:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.16.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-08 01:29 . 2009-10-08 01:29 16384 f:\windows\Temp\Perflib_Perfdata_6f4.dat
- 2001-08-23 12:00 . 2009-10-01 00:01 71776 f:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2009-10-08 01:42 71776 f:\windows\system32\perfc009.dat
+ 2009-10-03 10:41 . 2009-10-07 23:15 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-03 04:17 . 2009-09-30 23:39 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-03 04:17 . 2009-10-07 23:15 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-03 10:41 . 2009-10-07 23:15 16384 f:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-09-29 11:33 . 2009-09-30 23:39 16384 f:\windows\system32\config\systemprofile\Cookies\index.dat
- 2001-08-23 12:00 . 2009-10-01 00:01 442800 f:\windows\system32\perfh009.dat
+ 2001-08-23 12:00 . 2009-10-08 01:42 442800 f:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="f:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"QuickTime Task"="f:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"WinampAgent"="f:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"HP Software Update"="f:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"CXMon"="f:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-01-15 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - f:\windows\KHALMNPR.Exe [2007-09-21 55824]
"CTxfiHlp"="CTXFIHLP.EXE" - f:\windows\system32\Ctxfihlp.exe [2008-07-11 19968]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - f:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-4 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\WINDOWS\\system32\\spoolsv.exe"=
"f:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"f:\\Program Files\\Windows Home Server\\Discovery.exe"=
"f:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
"58344:TCP"= 58344:TCP:*:Disabled:Pando P2P TCP Listening Port
"58344:UDP"= 58344:UDP:*:Disabled:Pando P2P UDP Listening Port

R1 aswSP;avast! Self Protection;f:\windows\system32\drivers\aswSP.sys [9/6/2009 1:48 PM 114768]
R2 aswFsBlk;aswFsBlk;f:\windows\system32\drivers\aswFsBlk.sys [9/6/2009 1:48 PM 20560]
R2 WHSConnector;Windows Home Server Connector Service;f:\program files\Windows Home Server\WHSConnector.exe [4/20/2009 9:37 PM 335728]
S2 SqueezeMySQL;SqueezeMySQL;f:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=f:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> f:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=f:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
S3 0fb2;0fb2;f:\windows\system32\0fb2.sys [9/23/2009 10:47 PM 54624]
S3 ALSysIO;ALSysIO;\??\f:\docume~1\E\LOCALS~1\Temp\ALSysIO.sys --> f:\docume~1\E\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;f:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [10/31/2008 11:44 AM 79360]
S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [8/23/2009 9:45 PM 8704]
S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [8/23/2009 9:45 PM 3072]
S3 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [9/27/2009 10:22 PM 38224]
S3 NETMW145;Belkin N1 Wireless Desktop Card Service for Windows XP;f:\windows\system32\DRIVERS\NETMW145.sys --> f:\windows\system32\DRIVERS\NETMW145.sys [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;f:\windows\system32\DRIVERS\RTL8187.sys --> f:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 SjyPkt;SjyPkt;\??\f:\windows\System32\Drivers\SjyPkt.sys --> f:\windows\System32\Drivers\SjyPkt.sys [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\f:\docume~1\E\LOCALS~1\Temp\TCCpuInfo.sys --> f:\docume~1\E\LOCALS~1\Temp\TCCpuInfo.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"f:\windows\system32\rundll32.exe" "f:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
FF - ProfilePath - f:\documents and settings\E\Application Data\Mozilla\Firefox\Profiles\1xtvu5l9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 2
FF - plugin: f:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 18:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1540)
f:\windows\system32\WININET.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\program files\Microsoft Virtual PC\VPCShExH.DLL
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
f:\program files\Alwil Software\Avast4\aswUpdSv.exe
f:\program files\Alwil Software\Avast4\ashServ.exe
f:\program files\Creative\Shared Files\CTAudSvc.exe
f:\program files\Bonjour\mDNSResponder.exe
f:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
f:\windows\system32\nvsvc32.exe
f:\windows\system32\HPZipm12.exe
f:\program files\Alwil Software\Avast4\ashMaiSv.exe
f:\program files\Alwil Software\Avast4\ashWebSv.exe
f:\windows\system32\rundll32.exe
f:\program files\iPod\bin\iPodService.exe
f:\program files\Palm\Hotsync.exe
f:\program files\SqueezeCenter\SqueezeTray.exe
f:\program files\Windows Home Server\WHSTrayApp.exe
f:\program files\WinZip\WZQKPICK.EXE
f:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2009-10-08 18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-08 01:52
ComboFix2.txt 2009-10-01 01:19
ComboFix3.txt 2009-09-29 03:30

Pre-Run: 363,429,740,544 bytes free
Post-Run: 363,717,320,704 bytes free

343 --- E O F --- 2009-09-09 10:03

I guess we both misunderstood. Not a problem.

After a reboot did ComboFix remove all those again? I have researched this until my eyes hurt......found other threads with the same entries, except they all stay gone after the very first run of ComboFix. I want someone to have a look at this thread before I ask you to try anything else. I'll get back to you just as quick as I can.

tea

Honestly, I didn't even notice that things were getting removed multiple times. I'm just happy that someone is trying to help. Take your time, and thanks!

Eric

Hi Eric,

Yes, and that's what was bothering me. The entries themselves aren't necessarily malware, but something isn't letting them be deleted from the temp folder. I'm also taking into consideration the reason for the bsods. I did ask someone to have a look, and we're going to go in a different direction now.

How long has this been going on? Can you remember installing anything new around that time? I would like for you to go offline and uninstall Avast!. If the bsods continue, then go into msconfig, services tab, and tick the box that says hide all MS services. Then turn off all the rest of the services and turn them back on one by one, with a reboot in between each one. It's a bit of a process, but a lot of the time the problem can be found that way. Of course, if the problem isn't Avast!, then do reinstall it as soon as possible. No need to have you any more vulnerable than needs be.

Let me know how you come out.

tea

Hi Tea,

So I uninstalled Avast, rebooted, turned off all non-MS services, rebooted again, went to the f-secure online scanner ( the only way I have found to always cause a bsod ) and.... Boom. Bsod.

I haven't installed anything new, really.

It seems like my desktop is more stable now than when we started, bsods are now rare, unless I try the f-secure. The WHS still bsods like a mofo. I think we've made some progress, but I suspect that my desktop still may be infected with some crafty malware, but I don't really have any evidence other than the BSODS with fsecure, and how they started all of a sudden.

More ideas?

Eric

Hi there,

Let me make sure I understand what you said.....the only time it bsods now is when you use F-Secure? Is it the online scan only?

Hi Tea,

The last four or five BSODs on the desktop have only occurred with using f-secure online scanner, yes. The server still bsods frequently, and I have disconnected it from the network and powered it off.

My suspicion is that I still have malware on the desktop, but I have no other (recent) evidence than the bsods with the f-secure online scanner. Maybe I'm paranoid, but what else could be impairing combofix's ability to remove entries?

The hard drive on my laptop just became "unmountable" and I replaced it. Probably a coincidence, I haven't heard of malware totally destroying a hd.... but I don't know that much. Do you think it is time to move on to the server?

Hopeful!
Eric

Hi,

Stay away from F-Secure and monitor the behavior. Let me know of any changes. It could very well be that something you have just doesn't play well with others.....some programs are like that.

Yes, let's go on to the server now. Download a fresh copy of ComboFix there and let me know of the problems it's having, even if they are the same as this one had.

tea

Hi Tea,

When I try to run combofix on the server, it says, " cannot find NircmdB.exe" and it won't run any farther.

Thanks again for your continued help with this!

Eric

Disable any protection software you have and try again. Avast! and many others don't like certain files our tools use and read them as bad.

tea

disabled avast, disabled network, ran combofix, still "cannot find nircmdB.exe".

Tried renaming combofix, same problem.

I don't have any other protection software.... Any ideas?

Eric

Hello,

What else have you tried to run on the server? MBAM or GMER would be good.....will HijackThis run? Also, basic question I have to ask.....sorry, when you disabled Avast! and everything, did you then download a new ComboFix or just try the one you already had?

tea