Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't know what I'm infected with -- sorry!


  • This topic is locked This topic is locked
15 replies to this topic

#1 vordabois

vordabois

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 24 April 2009 - 12:00 AM

Loads of problems. First off, when I boot up, I notice a new small box flash in the upper-right corner, and I've been able to read it a bit a few times... Something about setting up Outlook settings and then something about winpri.exe. The first problem I had was that when I was playing a DVD with PowerDVD and I went to do other stuff in the background while it was playing, the arrow of my cursor would disappear. Then, other times (not playing movies), I would double click on an icon and instead of launching the program, the properties box would come up. I restarted my computer and that would fix it. Now, it has totally blocked my ability to open Firefox because it says there's an update. But then it goes to a warning box that says "The update could not be installed. Please make sure there are no other copies of Firefox running on your computer, and then restart Firefox to try again". I hit "OK" and it just tries to install the update again, popping up with another warning box, and it just goes on forever repeating. So now I'm back to using IE to post this message.

I went to uninstall Firefox (to reinstall it), but it freezes just as the uninstall wizard boots up.

UGH!

I just wanna say that you guys have gotten me out of two bad spots before and I am just so grateful for everything you guys do. I have Norton 360, and have done several comprehensive scans to get rid of this, but nothing has come up. I paid money for that program and it doesn't seem to catch stuff this bad. (I've run Spybot several times, too, and all it's gotten seems to be minor stuff.) Thank you for everything.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jim at 0:36:16.65 on Fri 04/24/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.197 [GMT -4:00]

AV: Norton 360 *On-access scanning enabled* (Updated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Netropa\OSD.exe
svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Folder Lockbox\flockbox.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyServer = 210.21.12.94:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: {18F511F7-744F-4035-9599-799BA42110EA} - No File
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {6817a60d-c3e8-4d82-97fa-7b9749b41dcf} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {A6C54318-5AC7-477D-B0A7-49AF5189300C} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON Stylus Photo R280 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticka.exe /fu "c:\windows\temp\E_S98.tmp" /EF "HKCU"
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [flockbox] c:\program files\folder lockbox\flockbox.exe /a
mRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n Grid
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winpri] c:\windows\system32\winpri.exe
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\screen~1.lnk - c:\windows\FSScrCtl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: Download using Download &Express - c:\documents and settings\jim\desktop\Add_Url.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: allmusic.com, click Add \www
Trusted Zone: creative.com\us
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - hxxp://www.mathxl.com/applets/PearsonInstallAsst.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37738.0371527778
DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} - hxxp://www.mathxl.com/applets/DeltaCVX.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - hxxp://fdl.msn.com/public/chat/msnchat4.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\24rs5ze6.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://www.prospect.org/
FF - prefs.js: network.proxy.ftp - 195.131.2.37
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.131.2.37
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.131.2.37
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.131.2.37
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.131.2.37
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2006-9-9 13824]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090423.004\NAVENG.SYS [2009-4-23 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090423.004\NAVEX15.SYS [2009-4-23 876144]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-12-31 1245064]
S2 .NET Connection Service;.NET Framework Service;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S3 ADSP24WDM;Service for AudioDSP24 Driver (WDM);c:\windows\system32\drivers\ADSPWDM.sys [2001-10-31 80578]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 LCcFltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcFltr.Sys [2001-12-12 13052]
S3 OASIS;OASIS;c:\windows\system32\drivers\oasisusb.sys [2003-5-3 21959]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2001-12-17 15417]

============== File Associations ===============

inffile=c:\kpcms\i386\NOTEPAD.EXE %1
inifile=c:\kpcms\i386\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-15 17:23 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:23 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:23 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:23 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 17:23 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:23 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:23 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:23 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:23 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:22 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:22 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 17:22 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 14:34 <DIR> --d----- c:\windows\system32\scripting
2009-04-15 14:34 <DIR> --d----- c:\windows\l2schemas
2009-04-15 14:34 <DIR> --d----- c:\windows\system32\en
2009-04-07 19:41 259,389 a------- c:\windows\system32\winpri
2009-04-07 18:56 442,368 a------- c:\windows\system32\winpri.exe
2009-04-04 01:34 <DIR> --d----- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-04-15 14:40 81,365 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-21 01:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-09-09 01:08 75,544 a------- c:\docume~1\jim\applic~1\GDIPFONTCACHEV1.DAT
2005-12-04 04:32 36 a------- c:\documents and settings\jim\klextlock.dat
2004-12-04 04:04 52 a------- c:\docume~1\jim\applic~1\tvmcwrd.dll
2004-12-04 01:48 230,222 a------- c:\docume~1\jim\applic~1\tvmknwrd.dll
2003-05-05 07:37 5,054 a------- c:\program files\INSTALL.LOG
2002-01-09 14:57 1,159 a------- c:\program files\Untitle.el
1999-04-16 11:20 196,608 a------- c:\program files\DotColor.exe
1998-02-10 18:34 128,000 a------- c:\program files\UNWISE.EXE
2029-09-07 08:40 1,537 a--sh--- c:\windows\page files\maxmeg.sys

============= FINISH: 0:37:31.90 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/31/2002 3:17:24 AM
System Uptime: 4/23/2009 11:33:39 PM (1 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel® Pentium® 4 CPU 1.90GHz | Microprocessor | 1894/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 77.441 GiB free.
D: is FIXED (NTFS) - 114 GiB total, 11.804 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&351C866&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&351C866&0&0
Service: flpydisk

==== System Restore Points ===================

RP3130: 4/21/2009 11:39:21 AM - Software Distribution Service 3.0
RP3131: 4/22/2009 2:10:02 PM - Software Distribution Service 3.0
RP3132: 4/23/2009 11:38:54 AM - Software Distribution Service 3.0

==== Installed Programs ======================

7-Zip 4.57
AAC Decoder
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop v4.0
Adobe Shockwave Player
AppCore
aspi
AutoUpdate
AVIcodec (remove only)
Azureus
Backup
Battlefield Vietnam™
ccCommon
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
DellTouch
DesertCombat Public Alpha 0.38
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
EAX4 Unified Redist
EPSON Printer Software
EPSON R280 User's Guide
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSstore
ESSvpaht
ESSvpot
FLV Player 2.0, build 24
Folder Lockbox 1.0 for Windows 2000/XP
GearDrvs
H.264 Decoder
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImageDrive (ahead software)
InterActual Player
InterLok Driver Kit
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_01
Java 2 Runtime Environment, SE v1.4.1_07
Java™ 6 Update 12
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
K-Lite Mega Codec Pack 1.51
Kodak EasyShare software
KSU
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech iTouch Software
Logitech SetPoint
Lucent Win Modem
Macromedia Flash Player 8
Medal of Honor Pacific Assault™
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office XP Media Content
Microsoft Office XP Standard
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
MINITAB 14 Student
MKV Splitter
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Notifier
NVIDIA Drivers
OTtBP
OverDisk (remove only)
Pando
PCDLNCH
PCFriendly
PICVideo Codecs
PlexTools Professional V2.12
PowerDVD
RaySource 2.1.10.8192
Screenshot Captor 2.05.02
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SFR
SFR2
Sony Player Plug-in for Windows Media Player
SoundMAX
SPBBC 32bit
Spybot - Search & Destroy
Student ExplorIt -- AG
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Symantec Technical Support Web Controls
SymNet
TBS WMP Plug-in
The White Wolf of Icicle Creek
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.4a
ViewSonic Monitor Drivers
VobSub v2.23 (Remove Only)
WebFldrs XP
WebSTAR DPX USB Cable Modem Adapter
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Service Pack 3
WinRAR archiver
Works Suite OS Pack
Works Synchronization
ZeroTimer

==== Event Viewer Messages From Past Week ========

4/23/2009 6:22:17 AM, error: Print [19] - Sharing printer failed + 1722, Printer Epson Stylus COLOR 777 ESC/P 2 share name Printer3.
4/18/2009 1:26:15 AM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom1.
4/17/2009 10:36:41 PM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
4/17/2009 10:36:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
4/17/2009 10:36:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp
4/17/2009 10:36:24 PM, error: Service Control Manager [7000] - The .NET Framework Service service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

Attached Files



BC AdBot (Login to Remove)

 


#2 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 28 April 2009 - 03:30 AM

OK, I finally got a good look at the little window that flashes upon startup. It's titled "Microsoft Outlook", and it says (as I recorded in an instant):

"Setting up personalized settings for:

C: Windows/System32/winpri.exe"

Please help me.

As I said, you guys are amazing, doing this for free and all... I just saw the "donation" tab and am willing to compensate for any sort of aid.

Edited by vordabois, 28 April 2009 - 03:32 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:03 PM

Posted 06 May 2009 - 07:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 08 May 2009 - 06:16 PM

I can now use Firefox, but whatever it is is still there.

First off, when I boot up, I notice a new small box flash in the upper-right corner. It's titled "Microsoft Outlook", and it says (as I recorded in an instant):

"Setting up personalized settings for:

C: Windows/System32/winpri.exe"

This is similar to another problem I had before with some sort of winupdate.exe infection.

Several observable problems.

The first one I had was that when I was playing a DVD with PowerDVD and I went to do other stuff in the background while it was playing, the arrow of my cursor would disappear. It's still there, it's just not shown.

Then, other times (not playing movies), I would double click on an icon on the desktop and instead of launching the program or opening the folder or file, the properties box would come up. Restarting my computer fixes it.

When I play "Battlefield Vietnam," the game fires my weapon continuously for me at random. Pausing the game stops it.

Sometimes, when I leave Internet Explorer or Firefox open for long enough, my computer will force it into the background and it becomes unresponsive, requiring me to "end the task" via Task Manager.

Here's a new log (I posted the DDS log, too.):


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jim at 19:07:35.65 on Fri 05/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.259 [GMT -4:00]

AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Folder Lockbox\flockbox.exe
C:\Program Files\GridService\peer.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyServer = 210.21.12.94:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: {18F511F7-744F-4035-9599-799BA42110EA} - No File
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: {6817a60d-c3e8-4d82-97fa-7b9749b41dcf} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {A6C54318-5AC7-477D-B0A7-49AF5189300C} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [EPSON Stylus Photo R280 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticka.exe /fu "c:\windows\temp\E_S98.tmp" /EF "HKCU"
mRun: [DellTouch] c:\windows\DELLMMKB.EXE
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [flockbox] c:\program files\folder lockbox\flockbox.exe /a
mRun: [Grid Service] "c:\program files\gridservice\peer.exe" -n Grid
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winpri] c:\windows\system32\winpri.exe
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\screen~1.lnk - c:\windows\FSScrCtl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: <NO NAME> =
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: Download using Download &Express - c:\documents and settings\jim\desktop\Add_Url.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: allmusic.com, click Add \www
Trusted Zone: creative.com\us
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} - hxxp://www.mathxl.com/applets/PearsonInstallAsst.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37738.0371527778
DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} - hxxp://www.mathxl.com/applets/DeltaCVX.cab
DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - hxxp://fdl.msn.com/public/chat/msnchat4.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\24rs5ze6.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://www.prospect.org/
FF - prefs.js: network.proxy.ftp - 195.131.2.37
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.131.2.37
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.131.2.37
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.131.2.37
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.131.2.37
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 MPRIFL;MPRIFL;c:\windows\system32\drivers\mprifl.sys [2006-9-9 13824]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-18 149352]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2001-8-6 28672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-26 101936]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2000-10-3 6942]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090508.003\NAVENG.SYS [2009-5-8 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090508.003\NAVEX15.SYS [2009-5-8 876144]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-12-31 1245064]
S2 .NET Connection Service;.NET Framework Service;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S3 ADSP24WDM;Service for AudioDSP24 Driver (WDM);c:\windows\system32\drivers\ADSPWDM.sys [2001-10-31 80578]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 LCcFltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcFltr.Sys [2001-12-12 13052]
S3 OASIS;OASIS;c:\windows\system32\drivers\oasisusb.sys [2003-5-3 21959]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2001-12-17 15417]

============== File Associations ===============

inffile=c:\kpcms\i386\NOTEPAD.EXE %1
inifile=c:\kpcms\i386\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-02 16:21 <DIR> --d----- C:\ComboFix
2009-05-02 16:21 389,120 a------- c:\windows\system32\CF16710.exe
2009-04-25 00:50 <DIR> --d----- c:\docume~1\jim\applic~1\Moyea
2009-04-15 17:23 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 17:23 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 17:23 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 17:23 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 17:23 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 17:23 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 17:23 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 17:23 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 17:23 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 17:22 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 17:22 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 17:22 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 14:34 <DIR> --d----- c:\windows\system32\scripting
2009-04-15 14:34 <DIR> --d----- c:\windows\l2schemas
2009-04-15 14:34 <DIR> --d----- c:\windows\system32\en

==================== Find3M ====================

2009-04-15 14:40 81,365 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-07 18:56 442,368 a------- c:\windows\system32\winpri.exe
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-21 01:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-20 06:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-09 01:08 75,544 a------- c:\docume~1\jim\applic~1\GDIPFONTCACHEV1.DAT
2005-12-04 04:32 36 a------- c:\documents and settings\jim\klextlock.dat
2004-12-04 04:04 52 a------- c:\docume~1\jim\applic~1\tvmcwrd.dll
2004-12-04 01:48 230,222 a------- c:\docume~1\jim\applic~1\tvmknwrd.dll
2003-05-05 07:37 5,054 a------- c:\program files\INSTALL.LOG
2002-01-09 14:57 1,159 a------- c:\program files\Untitle.el
1999-04-16 11:20 196,608 a------- c:\program files\DotColor.exe
1998-02-10 18:34 128,000 a------- c:\program files\UNWISE.EXE
2029-09-07 08:40 1,537 a--sh--- c:\windows\page files\maxmeg.sys

============= FINISH: 19:08:35.26 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 5/31/2002 3:17:24 AM
System Uptime: 5/7/2009 11:35:41 PM (20 hours ago)

Motherboard: Dell Computer Corporation | | Dimension 8200
Processor: Intel® Pentium® 4 CPU 1.90GHz | Microprocessor | 1894/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 69.665 GiB free.
D: is FIXED (NTFS) - 114 GiB total, 11.804 GiB free.
E: is CDROM ()
F: is CDROM (UDF)

==== Disabled Device Manager Items =============

Class GUID: {4D36E980-E325-11CE-BFC1-08002BE10318}
Description: Floppy disk drive
Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&351C866&0&0
Manufacturer: (Standard floppy disk drives)
Name: Floppy disk drive
PNP Device ID: FDC\GENERIC_FLOPPY_DRIVE\5&351C866&0&0
Service: flpydisk

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.57
AAC Decoder
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop v4.0
Adobe Shockwave Player
AppCore
aspi
AutoUpdate
AVIcodec (remove only)
Azureus
Backup
Battlefield Vietnam™
ccCommon
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
DellTouch
DesertCombat Public Alpha 0.38
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
EAX4 Unified Redist
EPSON Printer Software
EPSON R280 User's Guide
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSstore
ESSvpaht
ESSvpot
FLV Player 2.0, build 24
Folder Lockbox 1.0 for Windows 2000/XP
GearDrvs
H.264 Decoder
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImageDrive (ahead software)
InterActual Player
InterLok Driver Kit
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_01
Java 2 Runtime Environment, SE v1.4.1_07
Java™ 6 Update 12
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
K-Lite Mega Codec Pack 1.51
Kodak EasyShare software
KSU
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech iTouch Software
Logitech SetPoint
Lucent Win Modem
Medal of Honor Pacific Assault™
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office XP Media Content
Microsoft Office XP Standard
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
MINITAB 14 Student
MKV Splitter
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Notifier
NVIDIA Drivers
OTtBP
OverDisk (remove only)
Pando
PCDLNCH
PCFriendly
PICVideo Codecs
PlexTools Professional V2.12
PowerDVD
RaySource 2.1.10.8192
Screenshot Captor 2.05.02
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SFR
SFR2
Sony Player Plug-in for Windows Media Player
SoundMAX
SPBBC 32bit
Spybot - Search & Destroy
Student ExplorIt -- AG
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Symantec Technical Support Web Controls
SymNet
TBS WMP Plug-in
The White Wolf of Icicle Creek
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.4a
ViewSonic Monitor Drivers
VobSub v2.23 (Remove Only)
WebFldrs XP
WebSTAR DPX USB Cable Modem Adapter
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Service Pack 3
WinRAR archiver
Works Suite OS Pack
Works Synchronization
ZeroTimer

==== Event Viewer Messages From Past Week ========

5/7/2009 1:59:04 AM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom1.
5/4/2009 2:49:48 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
5/2/2009 3:58:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aslm75 cdudf_xp eeCtrl Fips IPSec MRxSmb NetBIOS NetBT OMCI Processor RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip WS2IFSL
5/2/2009 3:58:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
5/2/2009 3:58:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/2/2009 3:58:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/2/2009 3:58:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
5/2/2009 3:51:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/2/2009 3:47:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp
5/2/2009 3:47:14 PM, error: Service Control Manager [7000] - The .NET Framework Service service failed to start due to the following error: The system cannot find the file specified.
5/1/2009 11:40:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.

==== End Of File ===========================

Attached Files

  • Attached File  Both.txt   26.01KB   14 downloads

Edited by vordabois, 08 May 2009 - 10:36 PM.


#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:03 PM

Posted 10 May 2009 - 11:04 AM

Hello, vordabois :thumbup2:

2009-05-02 16:21

--d----- C:\ComboFix

ComboFix should not be run before you get help here. In your particular instance, you have programs running which have caused DESTROYED machines when not properly disabled!

While in fact it's a good tool to use here, it's not going to work correctly unless percautions are taken first.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
We need to uninstall one or more programs
Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.1_01
Java 2 Runtime Environment, SE v1.4.1_07
Java™ 6 Update 12
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1


We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 10 May 2009 - 12:34 PM

Thanks for your help!!

A few problems in uninstalling those programs...

--> J2SE Runtime Environment 5.0 Update 4

Box pops up that says "You already have this version of the JRE installed. Please uninstall the product through your add/remove programs utility before reinstalling." I press "OK", and a moment later another box pops up that says "fatal error during installation."

--> J2SE Runtime Environment 5.0 Update 6

Box pops up that says "Error applying transforms. Verify that the specified transform paths are valid."

--> Java 2 Runtime Environment, SE v1.4.1_01

I click on change/remove, the screen flashes, but nothing happens.

Should I just go ahead to Combofix or not?

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:03 PM

Posted 10 May 2009 - 12:43 PM

Yes, go ahead :thumbup2: We'll cleanup the leftovers shortly...

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 11 May 2009 - 12:12 AM

Here it is (sorry for the delay, had to go to work)...


ComboFix 09-05-09.05 - Jim 05/11/2009 0:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.305 [GMT -4:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\INSTALL.LOG
c:\windows\BM2b105727.xml
c:\windows\Readme.txt
c:\windows\system32\jncisbpb.ini
c:\windows\system32\Sp3.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_.NET_CONNECTION_SERVICE
-------\Service_.NET Connection Service


((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-04-15 21:23 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 21:23 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 21:23 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 21:23 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 21:23 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 21:23 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 21:23 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 21:23 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 21:23 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 21:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 21:22 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 18:34 . 2009-04-15 18:34 -------- d-----w c:\windows\system32\scripting
2009-04-15 18:34 . 2009-04-15 18:34 -------- d-----w c:\windows\l2schemas
2009-04-15 18:34 . 2009-04-15 18:34 -------- d-----w c:\windows\system32\en

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 05:01 . 2006-04-14 10:26 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-10 17:25 . 2006-04-14 10:28 -------- d-----w c:\program files\Java
2009-05-10 17:17 . 2006-04-14 10:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-27 06:27 . 2006-04-14 10:25 -------- d-----w c:\program files\Azureus
2009-04-15 18:40 . 2002-05-31 07:13 81365 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-08 18:06 . 2007-07-02 07:22 -------- d-----w c:\program files\Norton 360
2009-04-08 03:40 . 2008-04-27 08:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-07 22:56 . 2009-04-07 22:56 442368 ----a-w c:\windows\system32\winpri.exe
2009-04-04 05:38 . 2006-04-14 10:27 -------- d-----w c:\program files\DivX
2009-04-04 05:35 . 2009-04-04 05:34 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-21 05:49 . 2008-11-26 04:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-04-27 08:15 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-07-20 05:34 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-19 17:03 . 2009-02-19 17:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 17:03 . 2009-02-19 17:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 16:31 . 2009-02-19 16:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 16:31 . 2009-02-19 16:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
2002-01-09 18:57 . 2002-01-09 03:11 1159 ----a-w c:\program files\Untitle.el
1999-04-16 15:20 . 2001-12-16 17:42 196608 ----a-w c:\program files\DotColor.exe
1998-02-10 22:34 . 2002-03-12 12:17 128000 ----a-w c:\program files\UNWISE.EXE
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-01 02:47 . 2009-01-08 19:17 324976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2007-06-28 08:48 . 2007-06-28 08:48 377 --sha-w c:\windows\SYSTEM32\klkkj.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2001-10-12 200704]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-07-20 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"flockbox"="c:\program files\Folder Lockbox\flockbox.exe" [2006-08-22 1597952]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-07-13 3375104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"winpri"="c:\windows\system32\winpri.exe" [2009-04-07 442368]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"LTWinModem1"="ltmsg.exe" - c:\windows\SYSTEM32\ltmsg.exe [2001-04-03 38912]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-12-10 1519616]

c:\documents and settings\Jim\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\FSScrCtl.exe [2002-11-2 249344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-24 450560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrolk]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllji]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCTKD]
[BU]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
"aux1"= ctwdm32.dll
"wave4"= serwvdrv.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RaySource\\RaySource.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57773:TCP"= 57773:TCP:Pando P2P TCP Listening Port
"57773:UDP"= 57773:UDP:Pando P2P UDP Listening Port
"57512:TCP"= 57512:TCP:Pando P2P TCP Listening Port
"57512:UDP"= 57512:UDP:Pando P2P UDP Listening Port
"58274:TCP"= 58274:TCP:Pando P2P TCP Listening Port
"58274:UDP"= 58274:UDP:Pando P2P UDP Listening Port

R0 MPRIFL;MPRIFL;c:\windows\SYSTEM32\DRIVERS\mprifl.sys [9/9/2006 7:50 AM 13824]
R3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [1/12/2008 10:32 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 12:58 PM 101936]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 5:18 PM 6942]
S3 ADSP24WDM;Service for AudioDSP24 Driver (WDM);c:\windows\SYSTEM32\DRIVERS\ADSPWDM.sys [10/31/2001 3:20 PM 80578]
S3 LCcFltr;Logitech USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\LCcFltr.Sys [12/12/2001 11:07 AM 13052]
S3 OASIS;OASIS;c:\windows\SYSTEM32\DRIVERS\oasisusb.sys [5/3/2003 7:59 PM 21959]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\SYSTEM32\DRIVERS\WebSTAR.sys [12/17/2001 12:25 PM 15417]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - Automatic LiveUpdate Scheduler
*Deregistered* - Browser
*Deregistered* - ccEvtMgr
*Deregistered* - ccSetMgr
*Deregistered* - CLTNetCnService
*Deregistered* - comHost
*Deregistered* - Creative Service for CDROM Access
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - ImapiService
*Deregistered* - KodakCCS
*Deregistered* - LanmanServer
*Deregistered* - LanmanWorkstation
*Deregistered* - LiveUpdate Notice
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nhksrv
*Deregistered* - Nla
*Deregistered* - NVSvc
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - ScsiAccess
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMDM PMSP Service
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{71687B8F-7340-6E5A-7693-7A429A184916}]
C:\WINDOWS:winupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BEF0E631-B2F5-8B40-D982-25F332109689}]
c:\windows\system32\winpri.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{18F511F7-744F-4035-9599-799BA42110EA} - (no file)
BHO-{6817a60d-c3e8-4d82-97fa-7b9749b41dcf} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uInternet Settings,ProxyServer = 210.21.12.94:8080
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download using Download &Express - c:\documents and settings\Jim\Desktop\Add_Url.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: allmusic.com, click Add \www
Trusted Zone: creative.com\us
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\24rs5ze6.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://www.prospect.org/
FF - prefs.js: network.proxy.ftp - 195.131.2.37
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 195.131.2.37
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 195.131.2.37
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 195.131.2.37
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 195.131.2.37
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.
.
------- File Associations -------
.
inffile=c:\kpcms\I386\NOTEPAD.EXE %1
inifile=c:\kpcms\I386\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 01:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winpri = c:\windows\system32\winpri.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3040)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\windows\Nhksrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\ScsiAccess.EXE
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\program files\Netropa\OSD.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2009-05-11 1:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-11 05:06
ComboFix2.txt 2008-07-26 05:47

Pre-Run: 75,061,657,600 bytes free
Post-Run: 75,075,301,376 bytes free

307 --- E O F --- 2009-05-10 18:21





That one with all the question marks is the one I see when I boot up. It flashed about three times after startup... Once before combofix started making the log and twice after. I'm gonna reboot to see if it's gone.

Edited by vordabois, 11 May 2009 - 01:46 AM.


#9 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 11 May 2009 - 12:18 AM

No, the little box still flashes in the upper-left corner.

But my computer booted up noticeably faster!

Edited by vordabois, 11 May 2009 - 02:33 AM.


#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:03 PM

Posted 11 May 2009 - 02:52 PM

Hello, vordabois :thumbup2:
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/221926/dont-know-what-im-infected-with-sorry/?p=1258656
    collect::
    c:\windows\system32\winpri.exe
    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"=-
    "winpri"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "UseDesktopIniCache"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrolk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllji]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJCTKD]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{71687B8F-7340-6E5A-7693-7A429A184916}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BEF0E631-B2F5-8B40-D982-25F332109689}]
    [-HKEY_CLASSES_ROOT\CLSID\{71687B8F-7340-6E5A-7693-7A429A184916}]
    [-HKEY_CLASSES_ROOT\CLSID\{BEF0E631-B2F5-8B40-D982-25F332109689}]
    ADS::
    C:\WINDOWS
    dds::
    uInternet Settings,ProxyServer = 210.21.12.94:8080
    firefox::
    FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\24rs5ze6.default\
    FF - prefs.js: network.proxy.ftp - 195.131.2.37
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - 195.131.2.37
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - 195.131.2.37
    FF - prefs.js: network.proxy.http_port - 3128
    FF - prefs.js: network.proxy.socks - 195.131.2.37
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - 195.131.2.37
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 2
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3

Edited by Billy O'Neal, 11 May 2009 - 02:53 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 11 May 2009 - 04:39 PM

Here's the new one...


ComboFix 09-05-09.05 - Jim 05/11/2009 17:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.214 [GMT -4:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*

file zipped: c:\windows\system32\winpri.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winpri.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-04-25 04:50 . 2009-04-25 04:50 -------- d-----w c:\documents and settings\Jim\Application Data\Moyea
2009-04-15 21:23 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 21:23 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 21:23 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 21:23 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 21:23 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 21:23 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 21:23 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 21:23 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 21:23 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 21:22 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 21:22 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 18:34 . 2009-04-15 18:34 -------- d-----w c:\windows\system32\scripting
2009-04-15 18:34 . 2009-04-15 18:34 -------- d-----w c:\windows\l2schemas
2009-04-15 18:34 . 2009-04-15 18:34 -------- d-----w c:\windows\system32\en

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 21:19 . 2006-04-14 10:26 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-10 17:25 . 2006-04-14 10:28 -------- d-----w c:\program files\Java
2009-05-10 17:17 . 2006-04-14 10:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-27 06:27 . 2006-04-14 10:25 -------- d-----w c:\program files\Azureus
2009-04-15 18:40 . 2002-05-31 07:13 81365 ----a-w c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-04-08 18:06 . 2007-07-02 07:22 -------- d-----w c:\program files\Norton 360
2009-04-08 03:40 . 2008-04-27 08:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 05:38 . 2006-04-14 10:27 -------- d-----w c:\program files\DivX
2009-04-04 05:35 . 2009-04-04 05:34 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-21 05:49 . 2008-11-26 04:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2003-04-27 08:15 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-07-20 05:34 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-19 17:03 . 2009-02-19 17:03 579464 ----a-w c:\windows\system32\SymNeti.dll
2009-02-19 17:03 . 2009-02-19 17:03 207240 ----a-w c:\windows\system32\SymRedir.dll
2009-02-19 16:31 . 2009-02-19 16:31 31280 ----a-w c:\windows\system32\drivers\SymIM.sys
2009-02-19 16:31 . 2009-02-19 16:31 41008 ----a-w c:\windows\system32\drivers\symndisv.sys
2009-02-19 16:31 . 2009-02-19 16:31 96560 ----a-w c:\windows\system32\drivers\symfw.sys
2009-02-19 16:31 . 2009-02-19 16:31 38576 ----a-w c:\windows\system32\drivers\symids.sys
2009-02-19 16:31 . 2009-02-19 16:31 37424 ----a-w c:\windows\system32\drivers\symndis.sys
2009-02-19 16:31 . 2009-02-19 16:31 22320 ----a-w c:\windows\system32\drivers\symredrv.sys
2009-02-19 16:31 . 2009-02-19 16:31 184496 ----a-w c:\windows\system32\drivers\symtdi.sys
2009-02-19 16:31 . 2009-02-19 16:31 13616 ----a-w c:\windows\system32\drivers\symdns.sys
2002-01-09 18:57 . 2002-01-09 03:11 1159 ----a-w c:\program files\Untitle.el
1999-04-16 15:20 . 2001-12-16 17:42 196608 ----a-w c:\program files\DotColor.exe
1998-02-10 22:34 . 2002-03-12 12:17 128000 ----a-w c:\program files\UNWISE.EXE
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-01 02:47 . 2009-01-08 19:17 324976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2007-06-28 08:48 . 2007-06-28 08:48 377 --sha-w c:\windows\SYSTEM32\klkkj.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-05-11_05.00.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-11 21:18 . 2009-05-11 21:18 16384 c:\windows\temp\Perflib_Perfdata_490.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellTouch"="c:\windows\DELLMMKB.EXE" [2001-09-23 163840]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2001-10-12 200704]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-07-20 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"flockbox"="c:\program files\Folder Lockbox\flockbox.exe" [2006-08-22 1597952]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-07-13 3375104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"LTWinModem1"="ltmsg.exe" - c:\windows\SYSTEM32\ltmsg.exe [2001-04-03 38912]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2005-12-10 1519616]

c:\documents and settings\Jim\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\FSScrCtl.exe [2002-11-2 249344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-10-24 450560]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll
"aux1"= ctwdm32.dll
"wave4"= serwvdrv.dll
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield Vietnam\\BfVietnam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RaySource\\RaySource.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57773:TCP"= 57773:TCP:Pando P2P TCP Listening Port
"57773:UDP"= 57773:UDP:Pando P2P UDP Listening Port
"57512:TCP"= 57512:TCP:Pando P2P TCP Listening Port
"57512:UDP"= 57512:UDP:Pando P2P UDP Listening Port
"58274:TCP"= 58274:TCP:Pando P2P TCP Listening Port
"58274:UDP"= 58274:UDP:Pando P2P UDP Listening Port

R0 MPRIFL;MPRIFL;c:\windows\SYSTEM32\DRIVERS\mprifl.sys [9/9/2006 7:50 AM 13824]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 3:37 PM 149352]
R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [8/6/2001 3:41 PM 28672]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/26/2009 12:58 PM 101936]
R3 Msikbd2k;DellTouch;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [10/3/2000 5:18 PM 6942]
S3 ADSP24WDM;Service for AudioDSP24 Driver (WDM);c:\windows\SYSTEM32\DRIVERS\ADSPWDM.sys [10/31/2001 3:20 PM 80578]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [1/12/2008 10:32 PM 23888]
S3 LCcFltr;Logitech USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\LCcFltr.Sys [12/12/2001 11:07 AM 13052]
S3 OASIS;OASIS;c:\windows\SYSTEM32\DRIVERS\oasisusb.sys [5/3/2003 7:59 PM 21959]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\SYSTEM32\DRIVERS\WebSTAR.sys [12/17/2001 12:25 PM 15417]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download using Download &Express - c:\documents and settings\Jim\Desktop\Add_Url.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: allmusic.com, click Add \www
Trusted Zone: creative.com\us
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\24rs5ze6.default\
FF - prefs.js: browser.search.selectedEngine - Webster
FF - prefs.js: browser.startup.homepage - hxxp://www.prospect.org/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\adsldpc.dll
.
Completion time: 2009-05-11 17:29
ComboFix-quarantined-files.txt 2009-05-11 21:29
ComboFix2.txt 2009-05-11 05:06
ComboFix3.txt 2008-07-26 05:47

Pre-Run: 74,261,778,432 bytes free
Post-Run: 74,247,544,832 bytes free

198 --- E O F --- 2009-05-11 19:00
Upload was successful

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:03 PM

Posted 11 May 2009 - 08:06 PM

Hello, vordabois :thumbup2:
That looks much better :) How are things running?

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3

Edited by Billy O'Neal, 11 May 2009 - 08:07 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:03 PM

Posted 11 May 2009 - 08:08 PM

I messed up the java instructions above... forgot you had broken versions to remove. The instructions above are updated.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 vordabois

vordabois
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Westerville, Ohio
  • Local time:05:03 PM

Posted 11 May 2009 - 11:13 PM

That looks much better :) How are things running?


Excellently! The box doesn't flash on startup, I can browse online while I'm running PowerDVD without my cursor disappearing, and I even tried BF Vietnam, and it runs perfectly. All those broken Java programs have disappeared as well!

THANK YOU! :thumbup2:

Before I post the ESET log, just a question. Obviously, I have Norton 360 and it didn't protect me from this or my prior winupdate.exe incident last year (which seems to be very similar to this one). Many people have told me that Norton isn't really all it's hyped up to be and that it hogs up CPU usage. (And it does, particularly when I'm game playing... I have to physically unplug my connection to the internet so it's not choppy as all hell. Granted, I have an older machine, but yeah, there's a huge difference.) In your opinion, what is/are the best program(s) for internet security? I'd never heard of this ESET program... is it [or are there others that are] much more effective? I mean, I ran another comprehensive (2.5-hour) scan with Norton before you first responded and it found zero threats, whereas ESET online found 31 after your help.

Anyways, here's the log....

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4065 (20090511)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=d8f9c772941d4a46aafd5f9bd67fe0f4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-12 03:59:03
# local_time=2009-05-11 11:59:03 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=291260
# found=31
# scan_time=6558
C:\Documents and Settings\Jim\.jpi_cache\file\1.0\Counter.class-762d722b-7c067106.class Win32/Adware.CWS.gen application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Jim\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-750095e2.class Win32/Adware.CWS.gen application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\[4]-Submit_2009-05-11_17.22.59.zip Win32/Tenspy.C trojan (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\[4]-Submit_2009-05-11_17.22.59.zip »ZIP »winpri.exe Win32/Tenspy.C trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ajuyrvud.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bbxcaxqc.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fsadmbme.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gpabfrki.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IhPYbJlm.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IhPYbJlm.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijllm.bak1.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijllm.bak2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijllm.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijllm.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ijllm.tmp.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jncisbpb.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\laprmomc.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lejejgdn.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lqoatrvo.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pumlljjj.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\puvwfaud.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qeuditsm.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sthdbgkk.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tfllqmfs.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ukvduloj.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vftlgorx.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wkfqgsjo.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wotwnnds.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP3177\A0464637.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\Desire-uninstall.exe probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\klkkj.tmp Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000

Edited by vordabois, 11 May 2009 - 11:52 PM.


#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:03 PM

Posted 12 May 2009 - 04:03 PM

Hello, vordabois :step4:

You are very welcome :step1:

In your opinion, what is/are the best program(s) for internet security? I'd never heard of this ESET program... is it [or are there others that are] much more effective? I mean, I ran another comprehensive (2.5-hour) scan with Norton before you first responded and it found zero threats, whereas ESET online found 31 after your help.

I (yikes) don't actually use an anti virus program. I'm therefore not really qualified to answer questions about them, all I have are test results. I generally like the website http://av-comparatives.org They test several different anti virus engines, including those from ESET and Symantec, with ~ 3 million malware samples. They also provide very detailed descriptions of the settings used for each scanner, as well as reporting of false positives, etc. I encourage you to take a look.

I use the ESET onlinescan because the others I've tried, such as the one from Kaspersky, or the one from TrendMicro, have a bad habit of crashing the browser before the scan completes, destroying the list of deleted files. I use that list to ensure ESET didn't make any mistakes. I'm not endorsing the standalone product, but the online scanner is the most stable of the ones I've used, and also is nice because of it's simple use. Some other scanners have as many as 10 or 20 steps before even starting the online scan!

When I ask a user to install an anti virus application, I generally post a complete list, as follows:

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Out of the free products below, I recommend Avira (First Choice) or Avast. Note: Avira will display Ads occasionally but is slightly faster.
Out of the pay-for products I recommend NOD32 or VIPRE.

Some free AntiVirus programs for non commercial home use are (alphabetical order):

Some commercial AntiVirus programs are (alphabetical order):Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection level. It may also impair the performance of your PC.


If you do decide to switch to something else from norton, please keep in mind that the security part of Norton 360 should be uninstalled. You can ensure Norton is completely gone using the Norton Removal Tool -> http://service1.symantec.com/Support/tsgen...005033108162039

whereas ESET online found 31 after your help.

Actually, most of those files were already dealt with ;)

C:\Documents and Settings\Jim\.jpi_cache\file\1.0\Counter.class-762d722b-7c067106.class Win32/Adware.CWS.gen application (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Jim\.jpi_cache\file\1.0\SecurityClassLoader.class-6fd9f626-750095e2.class Win32/Adware.CWS.gen application (unable to clean - deleted) 00000000000000000000000000000000

These are in Java's cache. They are files that contain code that exploits older versions of Java. However, it's just a cache. The files will not be run again unless the website which installed them in the first place is visited again.

C:\QooBox\Quarantine\[4]-Submit_2009-05-11_17.22.59.zip Win32/Tenspy.C trojan (deleted) 00000000000000000000000000000000
.....

These are files already removed by ComboFix (Will be erased when you uninstall ComboFix)

C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP3177\A0464637.ini

Backup copies maintained by System Restore. (System restore's cache will be cleared when you uninstall ComboFix)

C:\WINDOWS\SYSTEM32\Desire-uninstall.exe probably a variant of Win32/Genetik trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\klkkj.tmp Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000

New stuff not shown in previous scans.

Of the files there, only those two really are new, and they were not running/active. They could have sat there forever and not bothered you because windows had no way of running them (Not auto starting).

Please do not skip the CF uninstall step ;)

Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users