Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer windows pop up even if not using computer


  • This topic is locked This topic is locked
10 replies to this topic

#1 caseyf

caseyf

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 28 November 2009 - 12:28 PM

While using the computer or not, every few minutes a window will pop up. Most saying my computer is infected, but some saying links were not found or broken, or some window wanting me to chat with a scantly clad woman. Most can be clicked away, one I have to bring up Windows Task Manager to get rid of. All seem to be in a Windows Internet Explorer window. It doesn't seem to be doing anything bad to the computer, just annoying. I haven't followed any of the links.


DDS (Ver_09-11-24.02) - NTFSx86
Run by HP_Owner at 10:33:03.10 on Sat 11/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.101 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\igfxtray.exe
F:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Timex\Data Link USB\DataLinkLauncher.exe
F:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Program Files\ScottradeELITE\ScottradeELITEClientUpdater.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Virtual Magnifying Glass\Magnifying Glass.exe
c:\windows\mstre24.exe
c:\windows\pp12.exe
C:\WINDOWS\sYSteM32\SvchOst.eXE -k fioo32
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberDefender\Registry Cleaner\CDregclean.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\HP_Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - f:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - f:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - f:\program files\adobe\adobe acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [CyberDefender Registry Cleaner] c:\program files\cyberdefender\registry cleaner\CDregclean.exe
uRunOnce: [MISPInst] "c:\docume~1\hp_owner\locals~1\temp\mcinstalltemp\Install.exe" /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart /Resume /Restart
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [VTTimer] VTTimer.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AdobeVersionCue] f:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PhilipsDM] "c:\program files\philips\philips device manager\bin\DeviceManager.exe"
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Acrobat Assistant 7.0] "f:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AutoTBar] c:\program files\hp\digital imaging\bin\AUTOTBAR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [sysldtray] c:\windows\ld15.exe
mRun: [SySmstray] c:\windows\mstre24.exe
mRun: [pp] c:\windows\pp12.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~2\VPTray.exe
mRun: [CyberDefender Registry Cleaner]
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\hotsyn~1.lnk - f:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - f:\program files\adobe\adobe acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timexd~1.lnk - c:\program files\timex\data link usb\DataLinkLauncher.exe
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - f:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {4B30061A-5B39-11D3-80F8-0090276F843F} - c:\program files\net2phone\Net2fone.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://jran.uscourts.gov/whalecomec3fab80752db7cbd36e007c67f9538c9b0348529990fca2/whalecom0/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://jran.uscourts.gov/InternalSite/WhlCompMgr.cab
DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - hxxp://community.webshots.com/html/WSPhotoUploader.CAB
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
mASetup: {621FCD24-4498-4324-A81E-07D331376EDF} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\reaudshh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: f:\program files\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 fio32;fio32;c:\windows\system32\drivers\fio32.sys [2009-11-23 59520]
R2 SemLPT;SemLPT;c:\windows\system32\drivers\Semlpt.sys [2005-5-5 41984]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\spyware doctor\pctsAuxs.exe [2008-5-27 337800]

=============== Created Last 30 ================

2009-11-27 19:29:27 0 d-----w- c:\docume~1\hp_owner\applic~1\CyberDefender
2009-11-27 19:29:04 0 d-----w- c:\program files\CyberDefender
2009-11-25 15:26:00 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-11-25 15:26:00 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-11-25 15:25:59 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-11-25 15:25:59 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-11-24 01:13:36 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-24 01:13:35 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-24 01:13:35 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-24 01:13:35 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-23 19:45:57 36352 ---h--w- c:\windows\pp12.exe
2009-11-23 19:45:57 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2009-11-23 19:45:43 59520 ----a-w- c:\windows\system32\drivers\fio32.sys
2009-11-23 19:45:43 50688 ----a-w- c:\windows\system32\fio32.dll
2009-11-23 19:45:21 92672 ----a-w- c:\windows\rdr_1259005517.exe
2009-11-23 19:45:18 53760 ----a-w- c:\windows\mstre24.exe
2009-11-23 19:45:18 1 ---h--w- c:\windows\mmsmark3.dat
2009-11-23 19:45:17 2 ----a-w- c:\windows\0101120101465250.xxe
2009-11-23 19:45:15 1 ----a-w- c:\windows\conf21113.dat
2009-11-23 19:45:12 34816 ----a-w- c:\windows\rdr_1259005510.exe
2009-11-23 19:45:10 2 ----a-w- c:\windows\010112010146116101.xxe
2009-11-23 19:44:04 2 ----a-w- c:\windows\010112010146101105.rx
2009-11-23 19:43:16 41984 ----a-w- c:\windows\ld15.exe

==================== Find3M ====================

2005-09-03 03:30:18 952 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:35:58.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 28 November 2009 - 03:32 PM

Hello caseyf,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 02 December 2009 - 09:43 PM

hello caseyf,

I currently have a fix proposed as soon as it is approved I will post. Sorry for the delay. If you fixed your problem or no longer need assistance please let me know

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 03 December 2009 - 07:06 PM

Hello caseyf,

Sorry for the delay here is the start to your fix.

Please follow all directions in order given.

1.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
2.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Gmer.log
How is your machine is running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 06 December 2009 - 05:55 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 caseyf

caseyf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 07 December 2009 - 08:53 AM

Sorry for the delay. I've been very busy. I ran everything and it seemed to go fine except for gmer. It was running and then the screen went black. I wait for quite a while with no further activity and finally had to reboot the computer. I ran it again and somewhere during its running the computer rebooted on it's own. I left it running last night when I went to bed and it seemed to have finished. Results follow. The procedure seems to have fixed the pop-up problem and everything seems to running normally.
Thanks,
caseyf


ComboFix 09-12-06.09 - HP_Owner 12/06/2009 19:30.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.356 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\1.wmv
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender\Registry Cleaner\CyberDefender Registry Cleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CyberDefender\Registry Cleaner\Uninstall CyberDefender Registry Cleaner.lnk
c:\documents and settings\HP_Owner\Application Data\CyberDefender
c:\program files\CyberDefender
c:\program files\CyberDefender\Registry Cleaner\BeforeUninstall.exe
c:\program files\CyberDefender\Registry Cleaner\CDRC.dll
c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
c:\program files\CyberDefender\Registry Cleaner\cdswx.exe
c:\program files\CyberDefender\Registry Cleaner\KillCDRCProcesses.exe
c:\program files\CyberDefender\Registry Cleaner\startcdrc.exe
c:\program files\CyberDefender\Registry Cleaner\unins000.dat
c:\program files\CyberDefender\Registry Cleaner\unins000.exe
c:\program files\CyberDefender\Registry Cleaner\unins000.msg
c:\program files\webserver
c:\program files\webserver\webserver.exe
c:\recycler\S-1-5-21-2681068415-1188324707-1559676778-1003
c:\windows\010112010146100101.xxe
c:\windows\010112010146101105.rx
c:\windows\010112010146111103.xxe
c:\windows\010112010146116101.xxe
c:\windows\0101120101465249.xxe
c:\windows\0101120101465250.xxe
c:\windows\0101120101465348.xxe
c:\windows\0101120101465349.xxe
c:\windows\0101120101465350.xxe
c:\windows\0101120101465355.xxe
c:\windows\0101120101465548.xxe
c:\windows\0101120101465649.xxe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\fdgg34353edfgdfdf
c:\windows\jestertb.dll
c:\windows\ld15.exe
c:\windows\mmsmark3.dat
c:\windows\mstre24.exe
c:\windows\pp12.exe
c:\windows\rdr_1259005510.exe
c:\windows\rdr_1259764425.exe
c:\windows\rdr_1259764439.exe
c:\windows\rdr_1259783889.exe
c:\windows\rdr_1259783891.exe
c:\windows\rdr_1259783892.exe
c:\windows\rdr_1260117258.exe
c:\windows\rdr_1260117260.exe
c:\windows\rdr_1260117269.exe
c:\windows\system32\__c00ACAC4.dat
c:\windows\system32\drivers\fio32.sys
c:\windows\system32\fio32.dll
c:\windows\system32\FXAB32(2).DLL
c:\windows\system32\Fxdb(2).dll
c:\windows\system32\ps2.bat
c:\windows\viassary-hp.reg
C:\xcrashdump.dat
D:\Autorun.inf

Infected copy of c:\windows\system32\mshtml.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mshtml.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FIOO32
-------\Legacy_WEBSERVER
-------\Service_fioo32
-------\Service_SfX
-------\Service_webserver
-------\Legacy_fio32
-------\Service_fio32


((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))
.

2009-11-28 00:37 . 2009-11-19 17:48 43008 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-28 00:37 . 2009-11-19 17:48 340480 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-28 00:37 . 2009-11-19 17:48 872960 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-28 00:37 . 2009-11-19 17:48 346624 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-25 15:26 . 2009-11-25 15:26 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-11-25 15:26 . 2009-11-25 15:26 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-11-25 15:25 . 2009-11-25 15:26 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-11-25 15:25 . 2009-11-25 15:26 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-11-24 01:13 . 2009-11-24 01:14 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-24 01:13 . 2009-11-24 01:14 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-23 19:45 . 2009-11-23 19:45 1 ----a-w- c:\windows\conf21113.dat
2009-11-18 00:44 . 2009-11-18 00:44 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-07 02:02 . 2005-12-20 01:25 -------- d-----w- c:\program files\Symantec Antivirus
2009-12-06 19:30 . 2006-06-13 20:33 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Canon
2009-11-27 20:07 . 2004-08-12 04:25 -------- d-----w- c:\program files\PC-Doctor for Windows
2009-11-24 01:14 . 2005-12-20 01:31 -------- d-----w- c:\program files\Symantec
2009-11-24 01:14 . 2009-11-24 01:13 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-24 01:14 . 2009-11-24 01:13 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-24 01:12 . 2004-08-12 06:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-24 01:12 . 2004-08-12 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-18 04:32 . 2005-01-04 22:48 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2004-11-07 18:58 . 2005-01-04 02:29 44151 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2005-09-03 03:30 . 2005-09-03 03:30 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wuauclt.exe
[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe
[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe

c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MISPInst"="c:\docume~1\HP_Owner\LOCALS~1\Temp\McInstallTemp\Install.exe " [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-12 180269]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"AdobeVersionCue"="f:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-08-27 516096]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2007-03-15 125632]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - f:\program files\Palm\HOTSYNC.EXE [2003-2-28 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - f:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-2-1 110592]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-8-3 1528880]
Timex Data Link USB Launcher.lnk - c:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2005-1-4 40960]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 17:01 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 21:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 21:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- f:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2007-12-21 19:05 53248 ----a-w- f:\program files\Fellowes\MediaFace 5\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-12 00:25 1961984 ----a-w- c:\program files\Nero\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2005-12-01 05:45 77892 ----a-w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
2005-10-12 00:25 1961984 ----a-w- c:\program files\Nero\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\GAMES\\Cubis Gold 2\\cubis2.exe"=
"c:\\Program Files\\FrontPage 2003\\OFFICE11\\FRONTPG.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:webserver

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R2 SemLPT;SemLPT;c:\windows\system32\drivers\Semlpt.sys [5/5/2005 1:56 PM 41984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/2/2009 6:38 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec Antivirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [5/27/2008 9:34 AM 337800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
fioo32 REG_MULTI_SZ fioo32

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
2007-09-19 16:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: f:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-CyberDefender Registry Cleaner - c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
HKLM-Run-VTTimer - VTTimer.exe
HKLM-Run-Acrobat Assistant 7.0 - f:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE
HKLM-Run-CyberDefender Registry Cleaner - (no file)
Notify-WgaLogon - (no file)
MSConfigStartUp-Tunebite - f:\program files\RapidSolution\Tunebite\Tunebite.exe
AddRemove-Easy-PhotoPrint - f:\program files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
AddRemove-Foundation Factory 2 - f:\eqprog~1\FOUNDF~1\UNWISE.EXE
AddRemove-Gravity - f:\progra~1\GRAVITY\uninstal f:\progra~1\GRAVITY\UNWISE.EXE
AddRemove-Mald32V4 - c:\mysoft~1\MYADVA~1\uninstall\setup.exe
AddRemove-PS2 - c:\windows\system32\ps2.exe uninstall
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-{2FCE4FC5-6930-40E7-A4F1-F862207424EF} - c:\program files\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe REMOVEALL
AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-06 20:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\ssmypics.scr
.
**************************************************************************
.
Completion time: 2009-12-06 20:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-07 02:17

Pre-Run: 7,763,001,344 bytes free
Post-Run: 9,388,359,680 bytes free

- - End Of File - - 44B0E5F41EAE21854144FAE02A125073




GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 07:40:05
Windows 5.1.2600 Service Pack 2
Running: qhufv8qh.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\awkoakoc.sys


---- System - GMER 1.0.15 ----

SSDT 83A21E40 ZwAlertResumeThread
SSDT 83A2A738 ZwAlertThread
SSDT 83AC5328 ZwAllocateVirtualMemory
SSDT 838BBAE8 ZwConnectPort
SSDT 83A84458 ZwCreateMutant
SSDT 83A25220 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB1D59350]
SSDT 83A87A40 ZwFreeVirtualMemory
SSDT 83AF3B68 ZwImpersonateAnonymousToken
SSDT 83AB9670 ZwImpersonateThread
SSDT 83A32B90 ZwMapViewOfSection
SSDT 83A83800 ZwOpenEvent
SSDT 83AFF280 ZwOpenProcessToken
SSDT 83A7FC88 ZwOpenThreadToken
SSDT 83A316C0 ZwQueryValueKey
SSDT 83742AD8 ZwResumeThread
SSDT 83A73FA8 ZwSetContextThread
SSDT 83A726C0 ZwSetInformationProcess
SSDT 83AC87F0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB1D59580]
SSDT 83B488A0 ZwSuspendProcess
SSDT 83AF2FD0 ZwSuspendThread
SSDT 83791D80 ZwTerminateProcess
SSDT 83A2B4F0 ZwTerminateThread
SSDT 83AC0218 ZwUnmapViewOfSection
SSDT 83A2E538 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2724 4 Bytes CALL 72D1B2E3
init C:\WINDOWS\System32\Drivers\SemLPT.SYS entry point in "init" section [0xF2E01000]

---- User code sections - GMER 1.0.15 ----

.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text F:\Program Files\Palm\HOTSYNC.EXE[3688] MSVCRT.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 F:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----
, although I haven't been in front of the computer for very long this morning.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 08 December 2009 - 05:09 PM

Hello caseyf,

Thanks for the logs! We have some work to do.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"fioo32"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download SystemLook from jpshortstuff and save it to your Desktop

Download Mirror #1

Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    wuauclt.exe
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Things to include in your next reply:
Combofix.txt
Systemlook Log
ESET log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 caseyf

caseyf
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 09 December 2009 - 04:11 PM

ComboFix 09-12-06.09 - HP_Owner 12/08/2009 23:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.759.254 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\My Documents\Downloads\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-11-09 to 2009-12-09 )))))))))))))))))))))))))))))))
.

2009-11-28 00:37 . 2009-11-19 17:48 43008 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-28 00:37 . 2009-11-19 17:48 340480 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-28 00:37 . 2009-11-19 17:48 872960 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-28 00:37 . 2009-11-19 17:48 346624 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-25 15:26 . 2009-11-25 15:26 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-11-25 15:26 . 2009-11-25 15:26 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-11-25 15:25 . 2009-11-25 15:26 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-11-25 15:25 . 2009-11-25 15:26 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-11-24 01:13 . 2009-11-24 01:14 48768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-24 01:13 . 2009-11-24 01:14 110952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-23 19:45 . 2009-11-23 19:45 1 ----a-w- c:\windows\conf21113.dat
2009-11-18 00:44 . 2009-11-18 00:44 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 05:10 . 2005-12-20 01:25 -------- d-----w- c:\program files\Symantec Antivirus
2009-12-07 16:10 . 2006-06-13 20:33 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Canon
2009-11-27 20:07 . 2004-08-12 04:25 -------- d-----w- c:\program files\PC-Doctor for Windows
2009-11-24 01:14 . 2005-12-20 01:31 -------- d-----w- c:\program files\Symantec
2009-11-24 01:14 . 2009-11-24 01:13 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-24 01:14 . 2009-11-24 01:13 8014 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-24 01:12 . 2004-08-12 06:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-24 01:12 . 2004-08-12 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-18 04:32 . 2005-01-04 22:48 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2004-11-07 18:58 . 2005-01-04 02:29 44151 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2005-09-03 03:30 . 2005-09-03 03:30 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wuauclt.exe
[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe
[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe

c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-12-07_02.03.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-08 02:19 . 2009-12-08 02:19 16384 c:\windows\Temp\Perflib_Perfdata_308.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-31 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MISPInst"="c:\docume~1\HP_Owner\LOCALS~1\Temp\McInstallTemp\Install.exe " [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-12 180269]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"AdobeVersionCue"="f:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-08-27 516096]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-17 135168]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2006-01-17 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~2\VPTray.exe" [2007-03-15 125632]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - f:\program files\Palm\HOTSYNC.EXE [2003-2-28 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - f:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-2-1 110592]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-8-3 1528880]
Timex Data Link USB Launcher.lnk - c:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2005-1-4 40960]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-03-04 17:01 88209 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-08-11 21:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 21:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- f:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaFace Integration]
2007-12-21 19:05 53248 ----a-w- f:\program files\Fellowes\MediaFace 5\SetHook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-10-12 00:25 1961984 ----a-w- c:\program files\Nero\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2005-12-01 05:45 77892 ----a-w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
2005-10-12 00:25 1961984 ----a-w- c:\program files\Nero\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 10:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\GAMES\\Cubis Gold 2\\cubis2.exe"=
"c:\\Program Files\\FrontPage 2003\\OFFICE11\\FRONTPG.EXE"=
"f:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53:TCP"= 53:TCP:webserver

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)

R2 SemLPT;SemLPT;c:\windows\system32\drivers\Semlpt.sys [5/5/2005 1:56 PM 41984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/2/2009 6:38 PM 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec Antivirus\SavRoam.exe [3/14/2007 7:48 PM 116416]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [5/27/2008 9:34 AM 337800]
S4 Rdpsrvc;Rdpsrvc; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
2007-09-19 16:32 7680 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\reaudshh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: f:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 23:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1760)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-08 23:49
ComboFix-quarantined-files.txt 2009-12-09 05:48
ComboFix2.txt 2009-12-07 02:18

Pre-Run: 9,252,806,656 bytes free
Post-Run: 9,205,542,912 bytes free

- - End Of File - - FB245F744F75D136CC31F6718FED9B2D



SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 08:53 on 09/12/2009 by HP_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "wuauclt.exe"
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wuauclt.exe --a--- 111104 bytes [12:49 29/11/2008] [00:12 14/04/2008] ED7262E52C31CF1625B65039102BC16C
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe --a--- 111104 bytes [09:51 28/07/2009] [00:12 14/04/2008] ED7262E52C31CF1625B65039102BC16C
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wuauclt.exe --a--- 111104 bytes [20:56 04/09/2008] [00:12 14/04/2008] ED7262E52C31CF1625B65039102BC16C

-=End Of File=-


C:\Qoobox\Quarantine\C\Program Files\webserver\webserver.exe.vir Win32/TrojanProxy.Small.NEB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\ld15.exe.vir a variant of Win32/Kryptik.AXH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\mstre24.exe.vir a variant of Win32/Kryptik.AXH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\pp12.exe.vir a variant of Win32/Kryptik.AXH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\rdr_1259005510.exe.vir Win32/Koobface.NCM worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\rdr_1259764425.exe.vir Win32/TrojanProxy.Small.NEB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\rdr_1259764439.exe.vir Win32/Tinxy.AJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\___c00ACAC4_.dat.zip Win32/Adware.Virtumonde.NDH application deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\fio32.sys.vir Win32/Tinxy.AP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1927\A0257855.exe Win32/Tinxy.AJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258925.exe Win32/TrojanProxy.Small.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258927.exe a variant of Win32/Kryptik.AXH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258928.exe a variant of Win32/Kryptik.AXH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258929.exe a variant of Win32/Kryptik.AXH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258930.exe Win32/Koobface.NCM worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258931.exe Win32/TrojanProxy.Small.NEB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258932.exe Win32/Tinxy.AJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258936.sys Win32/Tinxy.AP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{02818594-CB0B-43E3-8139-587D9EF98970}\RP1931\A0258937.dll Win32/Tinxy.AJ trojan cleaned by deleting - quarantined


Seems to be running fine. A little faster rebooting. I know because after it finished ESET, it would no longer start Firefox and when I tried to start IE it stalled and I had to reboot. After reboot, Firefox runs fine.

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 10 December 2009 - 09:15 AM

Hello caseyf,


1.
Do you have your or a copy of Windows Xp installation disk? This may have come with your computer when you purchased it?

2.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

3.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:32 PM

Posted 12 December 2009 - 06:06 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:32 PM

Posted 14 December 2009 - 06:59 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users