Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

H8SRT


  • Please log in to reply
19 replies to this topic

#1 crankit211

crankit211

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 21 December 2009 - 11:27 PM

I've got a virus on my home PC, running Windows XP SP3.
I can't run Malwarebytes,Kaspersky,Mcafee,etc.
I tried downloading Microsoft Security Essentials and if doesn't finish the install.
GMER pulled up H8SRT, but I don't know what that is.
Your help is greatly appreciated.
Thanks, in advance
I apologize for the extra long post.
.
here's a HJT log and a GMER log.
------------------------------------------------------------------.
DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/13/2006 5:41:47 PM
System Uptime: 12/21/2009 8:24:33 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 228 GiB total, 62.885 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Airlink101 SuperG Wireless Cardbus Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A021948&REV_01\4&1B02CB0B&0&18F0
Manufacturer: Airlink101
Name: Airlink101 SuperG Wireless Cardbus Adapter #2
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A021948&REV_01\4&1B02CB0B&0&18F0
Service: N5SG

==== System Restore Points ===================

RP857: 9/19/2009 8:09:40 AM - System Checkpoint
RP858: 9/20/2009 8:36:47 AM - System Checkpoint
RP859: 9/21/2009 9:36:44 AM - System Checkpoint
RP860: 9/22/2009 9:47:09 AM - System Checkpoint
RP861: 9/23/2009 10:42:52 AM - System Checkpoint
RP862: 9/24/2009 11:44:51 AM - System Checkpoint
RP863: 9/25/2009 12:31:00 PM - System Checkpoint
RP864: 9/26/2009 1:32:05 PM - System Checkpoint
RP865: 9/27/2009 1:34:23 PM - System Checkpoint
RP866: 9/28/2009 2:31:00 PM - System Checkpoint
RP867: 9/29/2009 3:43:03 PM - System Checkpoint
RP868: 9/30/2009 4:31:04 PM - System Checkpoint
RP869: 10/1/2009 6:29:17 PM - System Checkpoint
RP870: 10/2/2009 8:59:18 PM - System Checkpoint
RP871: 10/3/2009 9:41:21 PM - System Checkpoint
RP872: 10/4/2009 10:00:21 PM - System Checkpoint
RP873: 10/5/2009 11:12:21 PM - System Checkpoint
RP874: 10/7/2009 12:12:23 AM - System Checkpoint
RP875: 10/7/2009 6:42:49 AM - Software Distribution Service 3.0
RP876: 10/8/2009 7:19:53 AM - System Checkpoint
RP877: 10/8/2009 5:31:44 PM - Installed Microsoft Fix it 50027
RP878: 10/8/2009 5:48:32 PM - Installed %1 %2.
RP879: 10/8/2009 11:22:51 PM - Software Distribution Service 3.0
RP880: 10/10/2009 12:10:45 AM - System Checkpoint
RP881: 10/11/2009 12:22:47 AM - System Checkpoint
RP882: 10/12/2009 1:10:47 AM - System Checkpoint
RP883: 10/13/2009 1:22:44 AM - System Checkpoint
RP884: 10/13/2009 1:51:46 AM - Software Distribution Service 3.0
RP885: 10/14/2009 2:36:48 AM - System Checkpoint
RP886: 10/15/2009 3:10:44 AM - System Checkpoint
RP887: 10/16/2009 1:51:12 AM - Software Distribution Service 3.0
RP888: 10/16/2009 3:00:29 AM - Software Distribution Service 3.0
RP889: 10/17/2009 3:41:15 AM - System Checkpoint
RP890: 10/18/2009 4:41:09 AM - System Checkpoint
RP891: 10/19/2009 5:29:13 AM - System Checkpoint
RP892: 10/19/2009 2:49:45 PM - Software Distribution Service 3.0
RP893: 10/20/2009 8:35:46 AM - Restore Operation
RP894: 10/23/2009 5:29:57 PM - Configured WLAN Monitor
RP895: 10/23/2009 5:41:40 PM - Installed WLAN Monitor
RP896: 10/23/2009 6:09:54 PM - Configured WLAN Monitor
RP897: 10/23/2009 6:28:56 PM - Installed WLAN Monitor
RP898: 10/27/2009 8:00:14 PM - Installed WLAN Monitor
RP899: 10/27/2009 8:05:50 PM - Software Distribution Service 3.0
RP900: 10/28/2009 9:20:54 PM - System Checkpoint
RP901: 10/29/2009 1:22:57 PM - Software Distribution Service 3.0
RP902: 10/30/2009 1:44:50 PM - System Checkpoint
RP903: 10/31/2009 2:32:45 PM - System Checkpoint
RP904: 11/1/2009 2:47:28 PM - System Checkpoint
RP905: 11/2/2009 3:32:50 PM - System Checkpoint
RP906: 11/2/2009 8:16:21 PM - Software Distribution Service 3.0
RP907: 11/3/2009 7:54:04 PM - Software Distribution Service 3.0
RP908: 11/4/2009 8:33:01 PM - System Checkpoint
RP909: 11/5/2009 9:33:02 PM - System Checkpoint
RP910: 11/6/2009 10:45:11 PM - System Checkpoint
RP911: 11/7/2009 3:21:20 AM - Software Distribution Service 3.0
RP912: 11/8/2009 2:33:03 AM - System Checkpoint
RP913: 11/9/2009 7:02:12 PM - Software Distribution Service 3.0
RP914: 11/10/2009 7:53:13 PM - System Checkpoint
RP915: 11/11/2009 3:01:10 AM - Software Distribution Service 3.0
RP916: 11/12/2009 3:35:15 AM - System Checkpoint
RP917: 11/12/2009 11:58:33 PM - Software Distribution Service 3.0
RP918: 11/14/2009 12:37:25 AM - System Checkpoint
RP919: 11/15/2009 1:37:28 AM - System Checkpoint
RP920: 11/16/2009 2:37:29 AM - System Checkpoint
RP921: 11/17/2009 2:17:22 AM - Software Distribution Service 3.0
RP922: 11/18/2009 2:45:26 AM - System Checkpoint
RP923: 11/19/2009 3:49:33 AM - System Checkpoint
RP924: 11/20/2009 2:16:40 AM - Software Distribution Service 3.0
RP925: 11/21/2009 2:49:37 AM - System Checkpoint
RP926: 11/22/2009 12:24:56 PM - System Checkpoint
RP927: 11/24/2009 2:54:54 PM - Software Distribution Service 3.0
RP928: 11/25/2009 10:40:19 AM - Software Distribution Service 3.0
RP929: 11/27/2009 11:59:39 AM - Software Distribution Service 3.0
RP930: 11/28/2009 5:12:59 PM - System Checkpoint
RP931: 11/30/2009 12:15:24 PM - Software Distribution Service 3.0
RP932: 12/1/2009 1:20:22 PM - System Checkpoint
RP933: 12/2/2009 5:53:02 PM - System Checkpoint
RP934: 12/3/2009 11:25:24 AM - Software Distribution Service 3.0
RP935: 12/4/2009 6:59:27 PM - System Checkpoint
RP936: 12/5/2009 7:39:32 PM - System Checkpoint
RP937: 12/6/2009 8:29:57 PM - System Checkpoint
RP938: 12/7/2009 1:11:13 PM - Software Distribution Service 3.0
RP939: 12/8/2009 9:36:24 PM - System Checkpoint
RP940: 12/10/2009 5:46:52 PM - Software Distribution Service 3.0
RP941: 12/11/2009 10:22:34 AM - Software Distribution Service 3.0
RP942: 12/12/2009 5:53:40 PM - System Checkpoint
RP943: 12/13/2009 6:34:16 PM - System Checkpoint
RP944: 12/14/2009 3:06:33 PM - Software Distribution Service 3.0
RP945: 12/16/2009 11:26:45 AM - System Checkpoint
RP946: 12/17/2009 8:12:54 PM - Software Distribution Service 3.0
RP947: 12/21/2009 8:34:49 PM - Software Distribution Service 3.0

==== Installed Programs ======================

AAC Decoder
AC-3 ACM Codec
AC3Filter (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Adobe Shockwave Player 11.5
ANIO Service
ANIWZCS2 Service
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
ATI Parental Control
AutoUpdate
Collab
Comcast High-Speed Internet Install Wizard
Comcast Toolbar
Conexant D850 56K V.9x DFVc Modem
Corel Snapfire Plus
Coupon Printer for Windows
Creative Mass Storage Drivers
Creative MediaSource
Creative System Information
Creative Zen Nano Plus
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.2
Dell System Restore
Desktop Doctor
Digital Content Portal
Digital Line Detect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Documentation & Support Launcher
EarthLink Setup Files
EducateU
ESPNMotion
ffdshow [rev 1723] [2007-12-24]
Final Drive Fury
Final Drive Nitro
FL Studio 8
Games, Music, & Photos Launcher
Google Chrome
Google Update Helper
Google Video Player
Google Video Uploader
H.264 Decoder
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
hp deskjet 6122 series
HP Driver Diagnostics
IL Download Manager
Intel® Matrix Storage Manager
Intel® PRO Network Connections
iTunes
J2SE Runtime Environment 5.0 Update 6
Kaspersky Internet Security 2010
LimeWire 4.18.8
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.3
Microsoft IntelliType Pro 6.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
MKV Splitter
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
neroxml
NetWaiting
NVIDIA Drivers
QuickTime
Roxio Easy Media Creator 9 Suite
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
TVersity Codec Pack 1.2
TVersity Media Server 1.6 Beta
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
VC80CRTRedist - 8.0.50727.762
Virtual DJ - Atomix Productions
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WLAN Monitor
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

12/21/2009 8:11:30 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
12/21/2009 7:57:11 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Microsoft Antimalware Service service to connect.
12/21/2009 7:57:11 PM, error: Service Control Manager [7000] - The Microsoft Antimalware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/21/2009 5:46:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/21/2009 5:45:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm kl1 KLIF
12/21/2009 5:43:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/18/2009 9:55:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Internet Security service to connect.
12/18/2009 9:55:28 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The system cannot find the path specified.
12/18/2009 9:55:28 PM, error: Service Control Manager [7000] - The Kaspersky Internet Security service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/18/2009 9:31:21 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The system cannot find the file specified.
12/18/2009 8:40:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/18/2009 8:23:20 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The system cannot find the path specified.
12/18/2009 8:09:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
12/18/2009 7:45:41 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {03082469-BA75-44A5-89CB-D187F313E572}
12/18/2009 7:26:19 PM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
12/18/2009 6:57:41 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {398E2E68-BFDA-4834-B971-3CB8EC3C7219}
12/18/2009 6:57:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm mfehidk
12/18/2009 6:36:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/18/2009 6:35:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/18/2009 6:35:55 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/18/2009 6:35:55 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/18/2009 6:35:55 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/18/2009 6:35:55 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/18/2009 6:35:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/18/2009 11:02:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
12/18/2009 10:58:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec kl1 KLIF MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/18/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
12/17/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
12/17/2009 8:14:09 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB915597 (Definition 1.71.992.0).
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Defender service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Real-time Scanner service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Personal Firewall Service service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Network Agent service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate1ca3401ae7f86bf) service to connect.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The Windows Defender service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:10:21 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate1ca3401ae7f86bf) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/17/2009 8:04:51 PM, error: Service Control Manager [7034] - The TVersityMediaServer service terminated unexpectedly. It has done this 1 time(s).
12/17/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
12/17/2009 6:22:41 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
12/16/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
12/16/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
12/16/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
12/14/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
12/14/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
12/14/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402

==== End Of File ===========================
---------------------------------------------------------------------------------------------.
GMER Log
.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-21 22:01:19
Windows 5.1.2600 Service Pack 3
Running: dagam.exe; Driver: C:\DOCUME~1\DJATOM~1\LOCALS~1\Temp\fftoapoc.sys


---- System - GMER 1.0.15 ----

Code 863BA520 ZwEnumerateKey
Code 8634C528 ZwFlushInstructionCache
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous
Code 864459C6 IofCallDriver
Code 8676A13E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP EFC9A572 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 864459CB
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8676A143
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP EFC9A94C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6814 5 Bytes JMP 8634C52C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 5 Bytes JMP 863BA524
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF66C8360, 0x21235D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00BD4315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00CA1D31 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 00C9D5B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00CA67BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00C170D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DC637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DC62AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DC6318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DC617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DC61E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DC63DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DC6242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[312] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00CA74D1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 00BD4315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 00CA67BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 00DC637B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 00DC62AD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 00DC6318 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 00DC617E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 00DC61E0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 00DC63DE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 00DC6242 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [EF2B6820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [EF2B6820] \??\C:\WINDOWS\system32\drivers\kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B51C9D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRTetqpkonefr.sys (*** hidden *** ) EFA7A000-EFA97000 (118784 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTetqpkonefr.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTetqpkonefr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTetqpkonefr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTmoojnddwfy.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTreyoehcnxy.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTqvusaewldo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTetqpkonefr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTetqpkonefr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTmoojnddwfy.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTreyoehcnxy.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTqvusaewldo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTetqpkonefr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTetqpkonefr.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTmoojnddwfy.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTreyoehcnxy.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTqvusaewldo.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Dj Atomix\Local Settings\Temp\H8SRTa59a.tmp 343040 bytes executable
File C:\WINDOWS\system32\drivers\H8SRTetqpkonefr.sys 40960 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTmoojnddwfy.dll 23040 bytes executable
File C:\WINDOWS\system32\H8SRTreyoehcnxy.dat 202 bytes
File C:\WINDOWS\Temp\H8SRT711a.tmp 123 bytes
File C:\WINDOWS\Temp\H8SRTa150.tmp 201 bytes
File C:\WINDOWS\Temp\H8SRTa2f6.tmp 203 bytes
File C:\WINDOWS\Temp\H8SRTa884.tmp 203 bytes
File C:\WINDOWS\Temp\H8SRTa920.tmp 201 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 01 January 2010 - 07:18 PM

Hello crankit211,


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Kaspersky Internet Security Antivirus before running ComboFix, as it will prevent it from running.

A right click on the System Tray icon will usually diable it. It may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 05 January 2010 - 10:09 AM

Hi, first of all, I want to say thanks.
Thanks for having this support forum available to us.
I used the time, while I was waiting for your reply, to scour through others posts.
Your rules say to refrain from running/doing anything else to your computer, but
I was at my wits end, and i figured I had nothing to lose.
.
Here's what I did.
I downloaded and ran RKill.
Next, I downloaded and ran Trend Micro RootkitBuster.
After that I was finally able to update and run Malwarebytes.
Then I updated and ran Kaspersky.
.
Now everything seems to be running fine.
I did not run Combofix, I did heed your warnings about not running it, unless instructed to do so.
Let me know if you want me to.
Thanks again.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 05 January 2010 - 11:53 AM

Your rules say to refrain from running/doing anything else to your computer, but
I was at my wits end, and i figured I had nothing to lose.


There is a good reason for me asking you NOT running anything else. You dont know what you are doing so are probably making it worse. :(


None of the tools you run will remove it.
Run ComboFix as per my previous instructions.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 06 January 2010 - 09:33 AM

I'll do it once I get home, and I'll post the combofix log.
I hope I didn't possibly make it worse.
Thanks for your help.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 06 January 2010 - 02:11 PM

OK :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 06 January 2010 - 09:28 PM

I ran Combofix.
Here's the log,
.
ComboFix 10-01-04.01 - Dj Atomix 01/06/2010 20:00:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.596 [GMT -6:00]
Running from: c:\documents and settings\Dj Atomix\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\{34F38~1
c:\progra~1\COMMON~1\{74F38~1
c:\program files\driver
c:\program files\Internet Explorer\acpi.vxd
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\EventSystem.log
c:\windows\kb913800.exe
c:\windows\system32\srcr.dat
c:\windows\system32\tb.dr
c:\windows\Tasks\yslekxdq.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\program files\Norton PC Checkup
2009-12-30 00:59 . 2009-12-30 02:51 -------- d-----w- c:\program files\NortonInstaller
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\program files\DIFX
2009-12-25 14:14 . 2009-11-10 15:27 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\windows\D9DE9E0371CA423BB10157F13A751003.TMP
2009-12-25 14:13 . 2009-12-25 14:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 14:12 . 2009-12-25 14:13 -------- d-----w- c:\program files\LeapFrog
2009-12-25 14:12 . 2009-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2009-12-22 01:12 . 2009-12-22 01:51 -------- d-----w- c:\windows\BDOSCAN8
2009-12-21 23:53 . 2009-12-22 02:25 -------- d-----w- c:\program files\espi
2009-12-19 04:47 . 2009-12-22 02:25 -------- d-----w- c:\program files\Windows Defender
2009-12-19 03:41 . 2009-12-19 03:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-19 03:41 . 2009-12-19 03:41 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-19 03:38 . 2010-01-07 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-19 03:38 . 2009-12-19 03:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-12-19 01:22 . 2009-12-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-18 20:45 . 2009-12-18 20:46 -------- d-----w- C:\253221884395eaac8d38ebccd08d
2009-12-18 00:31 . 2009-12-18 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 21:00 . 2009-12-30 02:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-30 03:02 . 2009-12-30 02:34 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 02:51 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\program files\Norton Security Scan
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 02:17 . 2009-12-30 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 02:06 . 2009-12-30 02:06 696832 ----a-w- c:\windows\is-N3KEA.exe
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Tific
2009-12-27 16:05 . 2008-10-19 15:19 -------- d-----w- c:\program files\ffdshow
2009-12-27 16:03 . 2008-04-10 00:12 -------- d-----w- c:\program files\TVersity Codec Pack
2009-12-22 02:09 . 2009-07-27 17:00 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Move Networks
2009-12-22 02:09 . 2009-08-19 23:41 -------- d-----w- c:\program files\Image-Line
2009-12-19 03:30 . 2009-06-20 00:40 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-19 03:30 . 2008-12-16 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-19 03:29 . 2008-12-16 03:48 -------- d-----w- c:\program files\McAfee
2009-12-19 01:32 . 2008-12-16 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-19 01:32 . 2007-03-10 03:26 -------- d-----w- c:\program files\Lavasoft
2009-12-06 21:16 . 2009-12-06 21:16 -------- d-----w- c:\program files\Coupons
2009-12-03 22:14 . 2009-12-30 01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-12-30 01:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:42 . 2009-10-07 11:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34 . 2009-10-21 02:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 03:18 . 2009-10-15 03:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-01-29 19:14 . 2006-11-14 00:41 88 -csh--r- c:\windows\system32\2F4EDC9950.sys
2009-01-29 19:15 . 2007-02-01 14:12 3920 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-9 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dj Atomix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Dj Atomix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Axqcbul]
c:\documents and settings\Dj Atomix\Application Data\T?sks\m?hta.exe [?]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 22:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 -c----w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 14:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 03:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 -c--a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-08-25 17:11 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-08-25 17:11 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 11:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-10-27 14:41 221184 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"Client IP-IPX"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"cmdService"=2 (0x2)
"NMIndexingService"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"WinDefend"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"gupdate1ca3401ae7f86bf"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:mediaserver.exe

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.1.246\SymcPCCULaunchSvc.exe [12/29/2009 6:59 PM 123248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe [12/29/2009 6:59 PM 126392]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 2:30 PM 467040]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 8:14 AM 18560]
S4 gupdate1ca3401ae7f86bf;Google Update Service (gupdate1ca3401ae7f86bf);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 5:35 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-07 19:23]

2010-01-02 c:\windows\Tasks\Norton Security Scan for Dj Atomix.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-12-30 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

BHO-{6B90EEB4-7456-29D3-2264-7FB21E6E8B98} - c:\windows\system32\kre.dll
HKU-Default-Explorer_Run-{74F386E6-0746-1033-0814-060616060001} - c:\program files\Common Files\{74F386E6-0746-1033-0814-060616060001}\Update.exe
MSConfigStartUp-74f38649 - c:\windows\system32\dqtdcrgx.dll
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-AntiMalware - c:\program files\AntiMalware\antimalware.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-clspackxq - c:\docume~1\DJATOM~1\LOCALS~1\Temp\clspackxq.exe
MSConfigStartUp-GetModule32 - c:\program files\GetModule\GetModule32.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-Google Update - c:\documents and settings\Dj Atomix\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-IpWins - c:\program files\Ipwindows\ipwins.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-nvchost - c:\windows\winlogon.exe
MSConfigStartUp-OE_OEM - c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
MSConfigStartUp-p2p networking - p2pnetworking.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 12\pccguide.exe
MSConfigStartUp-uzoz - c:\progra~1\COMMON~1\uzoz\uzozm.exe
MSConfigStartUp-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 20:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.1.246\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2349773983-2153283688-2792327734-1006\r*Xw*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Running"=dword:00000001
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3536)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-06 20:24:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 02:24

Pre-Run: 66,799,980,544 bytes free
Post-Run: 67,964,166,144 bytes free

- - End Of File - - 870B43903F124DBDE3E5D2C024912099

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 06 January 2010 - 09:43 PM

Hi crankit211.

Running from: c:\documents and settings\Dj Atomix\My Documents\Downloads\ComboFix.exe


You ran ComboFix from your Downloads folder. :(

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

Now we will have to run it again. :(

Delete the version of ComboFix you have in c:\documents and settings\Dj Atomix\My Documents\Downloads\ComboFix.exe

Then download ComboFix, install it on your desktop <===IMPORTANT

Disable Kaspersky Internet Security before running ComboFix again.
Post the Combofix.txt log.

Edited by SifuMike, 06 January 2010 - 09:44 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 07 January 2010 - 09:14 AM

I'll start over tonight, sorry.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 07 January 2010 - 11:30 AM

OK
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 07 January 2010 - 08:09 PM

I deleted ComboFix.
Then, downloaded and saved to Desktop.
Ran ComboFix, and walked away.
Returned to find, the ever so lovely BSOD.
Restarted computer and deleted Combofix again.
Downloaded,saved, and ran Combofix.
Here's the log.
I hope everythings OK.
Thanks.
.
ComboFix 10-01-04.01 - Dj Atomix 01/07/2010 18:56:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -6:00]
Running from: c:\documents and settings\Dj Atomix\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\program files\Norton Security Scan
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\program files\DIFX
2009-12-25 14:14 . 2009-11-10 15:27 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\windows\D9DE9E0371CA423BB10157F13A751003.TMP
2009-12-25 14:13 . 2009-12-25 14:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 14:13 . 2009-12-25 14:13 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-25 14:13 . 2009-12-25 14:13 6969680 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagJuniorPlugin.exe
2009-12-25 14:12 . 2009-12-25 14:13 -------- d-----w- c:\program files\LeapFrog
2009-12-25 14:12 . 2009-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2009-12-22 01:12 . 2009-12-22 01:51 -------- d-----w- c:\windows\BDOSCAN8
2009-12-21 23:53 . 2009-12-22 02:25 -------- d-----w- c:\program files\espi
2009-12-19 04:47 . 2009-12-22 02:25 -------- d-----w- c:\program files\Windows Defender
2009-12-19 03:41 . 2009-12-19 03:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-19 03:41 . 2009-12-19 03:41 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-19 03:38 . 2010-01-08 00:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-19 03:38 . 2009-12-19 03:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-12-19 01:22 . 2009-12-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-18 20:45 . 2009-12-18 20:46 -------- d-----w- C:\253221884395eaac8d38ebccd08d
2009-12-18 00:31 . 2009-12-18 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 21:00 . 2009-12-30 02:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-30 03:02 . 2009-12-30 02:34 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 02:51 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 02:51 . 2009-12-30 00:59 -------- d-----w- c:\program files\NortonInstaller
2009-12-30 02:17 . 2009-12-30 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 02:06 . 2009-12-30 02:06 696832 ----a-w- c:\windows\is-N3KEA.exe
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Tific
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\program files\Norton PC Checkup
2009-12-27 16:05 . 2008-10-19 15:19 -------- d-----w- c:\program files\ffdshow
2009-12-27 16:03 . 2008-04-10 00:12 -------- d-----w- c:\program files\TVersity Codec Pack
2009-12-22 02:09 . 2009-07-27 17:00 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Move Networks
2009-12-22 02:09 . 2009-08-19 23:41 -------- d-----w- c:\program files\Image-Line
2009-12-19 03:30 . 2009-06-20 00:40 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-19 03:30 . 2008-12-16 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-19 03:29 . 2008-12-16 03:48 -------- d-----w- c:\program files\McAfee
2009-12-19 01:32 . 2008-12-16 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-19 01:32 . 2007-03-10 03:26 -------- d-----w- c:\program files\Lavasoft
2009-12-06 21:16 . 2009-12-06 21:16 -------- d-----w- c:\program files\Coupons
2009-12-03 22:14 . 2009-12-30 01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-12-30 01:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:42 . 2009-10-07 11:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34 . 2009-10-21 02:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 03:18 . 2009-10-15 03:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-01-29 19:14 . 2006-11-14 00:41 88 -csh--r- c:\windows\system32\2F4EDC9950.sys
2009-01-29 19:15 . 2007-02-01 14:12 3920 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-9 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dj Atomix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Dj Atomix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Axqcbul]
c:\documents and settings\Dj Atomix\Application Data\T?sks\m?hta.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 22:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 -c----w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 14:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 03:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 -c--a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-08-25 17:11 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-08-25 17:11 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 11:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-10-27 14:41 221184 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"Client IP-IPX"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"cmdService"=2 (0x2)
"NMIndexingService"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"WinDefend"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"gupdate1ca3401ae7f86bf"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:mediaserver.exe

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.1.246\SymcPCCULaunchSvc.exe [12/29/2009 6:59 PM 123248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe [12/29/2009 6:59 PM 126392]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 2:30 PM 467040]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 8:14 AM 18560]
S4 gupdate1ca3401ae7f86bf;Google Update Service (gupdate1ca3401ae7f86bf);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 5:35 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2010-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-07 19:23]

2010-01-02 c:\windows\Tasks\Norton Security Scan for Dj Atomix.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-12-30 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.1.246\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2349773983-2153283688-2792327734-1006\r*Xw*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Running"=dword:00000001
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1372)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-07 19:04:06
ComboFix-quarantined-files.txt 2010-01-08 01:04
ComboFix2.txt 2010-01-07 02:24

Pre-Run: 68,057,542,656 bytes free
Post-Run: 68,003,766,272 bytes free

- - End Of File - - 7C17D8D34D2B1D88D121F11836D8F86F

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 08 January 2010 - 03:23 PM

Hi crankit211,

You need to disable your Kaspersky Internet Security Antivirus before running ComboFix, as it will prevent it from running.

A right click on the System Tray icon will usually diable it. It may otherwise interfere with our tools. If you don't know how to disable them then just continue on.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Axqcbul]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 08 January 2010 - 08:37 PM

Ok, here's the latest ComboFix Log.
.
ComboFix 10-01-04.01 - Dj Atomix 01/08/2010 19:25:14.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.563 [GMT -6:00]
Running from: c:\documents and settings\Dj Atomix\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dj Atomix\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\program files\Norton Security Scan
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\program files\DIFX
2009-12-25 14:14 . 2009-11-10 15:27 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\windows\D9DE9E0371CA423BB10157F13A751003.TMP
2009-12-25 14:13 . 2009-12-25 14:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 14:13 . 2009-12-25 14:13 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-25 14:13 . 2009-12-25 14:13 6969680 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagJuniorPlugin.exe
2009-12-25 14:12 . 2009-12-25 14:13 -------- d-----w- c:\program files\LeapFrog
2009-12-25 14:12 . 2009-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2009-12-22 01:12 . 2009-12-22 01:51 -------- d-----w- c:\windows\BDOSCAN8
2009-12-21 23:53 . 2009-12-22 02:25 -------- d-----w- c:\program files\espi
2009-12-19 04:47 . 2009-12-22 02:25 -------- d-----w- c:\program files\Windows Defender
2009-12-19 03:41 . 2009-12-19 03:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-19 03:41 . 2009-12-19 03:41 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-19 03:38 . 2010-01-09 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-19 03:38 . 2009-12-19 03:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-12-19 01:22 . 2009-12-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-18 20:45 . 2009-12-18 20:46 -------- d-----w- C:\253221884395eaac8d38ebccd08d
2009-12-18 00:31 . 2009-12-18 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 21:00 . 2009-12-30 02:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-30 03:02 . 2009-12-30 02:34 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 02:51 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 02:51 . 2009-12-30 00:59 -------- d-----w- c:\program files\NortonInstaller
2009-12-30 02:17 . 2009-12-30 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 02:06 . 2009-12-30 02:06 696832 ----a-w- c:\windows\is-N3KEA.exe
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Tific
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\program files\Norton PC Checkup
2009-12-27 16:05 . 2008-10-19 15:19 -------- d-----w- c:\program files\ffdshow
2009-12-27 16:03 . 2008-04-10 00:12 -------- d-----w- c:\program files\TVersity Codec Pack
2009-12-22 02:09 . 2009-07-27 17:00 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Move Networks
2009-12-22 02:09 . 2009-08-19 23:41 -------- d-----w- c:\program files\Image-Line
2009-12-19 03:30 . 2009-06-20 00:40 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-19 03:30 . 2008-12-16 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-19 03:29 . 2008-12-16 03:48 -------- d-----w- c:\program files\McAfee
2009-12-19 01:32 . 2008-12-16 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-19 01:32 . 2007-03-10 03:26 -------- d-----w- c:\program files\Lavasoft
2009-12-06 21:16 . 2009-12-06 21:16 -------- d-----w- c:\program files\Coupons
2009-12-03 22:14 . 2009-12-30 01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-12-30 01:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:42 . 2009-10-07 11:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34 . 2009-10-21 02:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 03:18 . 2009-10-15 03:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-01-29 19:14 . 2006-11-14 00:41 88 -csh--r- c:\windows\system32\2F4EDC9950.sys
2009-01-29 19:15 . 2007-02-01 14:12 3920 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-9 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dj Atomix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Dj Atomix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Axqcbul]
c:\documents and settings\Dj Atomix\Application Data\T?sks\m?hta.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 22:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 -c----w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 14:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 03:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 -c--a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-08-25 17:11 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-08-25 17:11 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 11:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-10-27 14:41 221184 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"Client IP-IPX"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"cmdService"=2 (0x2)
"NMIndexingService"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"WinDefend"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"gupdate1ca3401ae7f86bf"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:mediaserver.exe

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.1.246\SymcPCCULaunchSvc.exe [12/29/2009 6:59 PM 123248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe [12/29/2009 6:59 PM 126392]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 2:30 PM 467040]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 8:14 AM 18560]
S4 gupdate1ca3401ae7f86bf;Google Update Service (gupdate1ca3401ae7f86bf);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 5:35 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2010-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-07 19:23]

2010-01-02 c:\windows\Tasks\Norton Security Scan for Dj Atomix.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-12-30 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.1.246\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2349773983-2153283688-2792327734-1006\r*Xw*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Running"=dword:00000001
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3076)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-08 19:33:50
ComboFix-quarantined-files.txt 2010-01-09 01:33
ComboFix2.txt 2010-01-08 01:04
ComboFix3.txt 2010-01-07 02:24

Pre-Run: 68,029,419,520 bytes free
Post-Run: 67,971,452,928 bytes free

- - End Of File - - BAF2FD8B5FE32A04A928E0C755208B0B

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 08 January 2010 - 09:26 PM

Hi crankit211,

I made a mistake on the last fix.
Lets try again.

You need to disable your Kaspersky Internet Security Antivirus before running ComboFix, as it will prevent it from running.

A right click on the System Tray icon will usually diable it. It may otherwise interfere with our tools. If you don't know how to disable them then just continue on.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL::
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Axqcbul]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 crankit211

crankit211
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 10 January 2010 - 11:42 AM

Here's the latest log.
.
ComboFix 10-01-04.01 - Dj Atomix 01/10/2010 10:13:07.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -6:00]
Running from: c:\documents and settings\Dj Atomix\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dj Atomix\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\program files\Norton PC Checkup
2009-12-30 00:59 . 2009-12-30 02:51 -------- d-----w- c:\program files\NortonInstaller
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\program files\DIFX
2009-12-25 14:14 . 2009-11-10 15:27 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2009-12-25 14:14 . 2009-12-25 14:14 -------- d-----w- c:\windows\D9DE9E0371CA423BB10157F13A751003.TMP
2009-12-25 14:13 . 2009-12-25 14:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 14:12 . 2009-12-25 14:13 -------- d-----w- c:\program files\LeapFrog
2009-12-25 14:12 . 2009-12-25 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2009-12-22 01:12 . 2009-12-22 01:51 -------- d-----w- c:\windows\BDOSCAN8
2009-12-21 23:53 . 2009-12-22 02:25 -------- d-----w- c:\program files\espi
2009-12-19 04:47 . 2009-12-22 02:25 -------- d-----w- c:\program files\Windows Defender
2009-12-19 03:41 . 2009-12-19 03:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-12-19 03:41 . 2009-12-19 03:41 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-12-19 03:38 . 2010-01-10 16:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-19 03:38 . 2009-12-19 03:38 -------- d-----w- c:\program files\Kaspersky Lab
2009-12-19 01:22 . 2009-12-19 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-18 20:45 . 2009-12-18 20:46 -------- d-----w- C:\253221884395eaac8d38ebccd08d
2009-12-18 00:31 . 2009-12-18 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-01 21:00 . 2009-12-30 02:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-30 03:02 . 2009-12-30 02:34 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-30 02:51 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\program files\Norton Security Scan
2009-12-30 02:51 . 2009-12-30 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-30 02:17 . 2009-12-30 01:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 02:06 . 2009-12-30 02:06 696832 ----a-w- c:\windows\is-N3KEA.exe
2009-12-30 00:59 . 2009-12-30 00:59 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Tific
2009-12-27 16:05 . 2008-10-19 15:19 -------- d-----w- c:\program files\ffdshow
2009-12-27 16:03 . 2008-04-10 00:12 -------- d-----w- c:\program files\TVersity Codec Pack
2009-12-25 14:13 . 2009-12-25 14:13 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-25 14:13 . 2009-12-25 14:13 6969680 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagJuniorPlugin.exe
2009-12-22 02:09 . 2009-07-27 17:00 -------- d-----w- c:\documents and settings\Dj Atomix\Application Data\Move Networks
2009-12-22 02:09 . 2009-08-19 23:41 -------- d-----w- c:\program files\Image-Line
2009-12-19 03:30 . 2009-06-20 00:40 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-19 03:30 . 2008-12-16 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-19 03:29 . 2008-12-16 03:48 -------- d-----w- c:\program files\McAfee
2009-12-19 01:32 . 2008-12-16 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-19 01:32 . 2007-03-10 03:26 -------- d-----w- c:\program files\Lavasoft
2009-12-06 21:16 . 2009-12-06 21:16 -------- d-----w- c:\program files\Coupons
2009-12-03 22:14 . 2009-12-30 01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-12-30 01:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-03 02:42 . 2009-10-07 11:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 02:34 . 2009-10-21 02:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-20 16:54 . 2009-10-20 16:54 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.736\English\setup.exe
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-15 03:18 . 2009-10-15 03:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-01-29 19:14 . 2006-11-14 00:41 88 -csh--r- c:\windows\system32\2F4EDC9950.sys
2009-01-29 19:15 . 2007-02-01 14:12 3920 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Airlink101 WLAN Monitor"="c:\program files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe" [2006-10-13 958464]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-9 24576]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Dj Atomix^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Dj Atomix\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANIWZCS2Service]
2006-06-29 22:34 49152 ----a-w- c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 -c----w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellHelp]
2004-04-01 14:51 1589248 -c--a-w- c:\dell\DellHelp\DellHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-07-17 03:29 389120 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 -c--a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-08-25 17:11 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-08-25 17:11 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 11:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-06-16 14:39 7323648 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-10-27 14:41 221184 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-07-24 16:20 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"ose"=3 (0x3)
"NBService"=3 (0x3)
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"Client IP-IPX"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"cmdService"=2 (0x2)
"NMIndexingService"=3 (0x3)
"ANIWZCSdService"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"WinDefend"=2 (0x2)
"TVersityMediaServer"=2 (0x2)
"sprtsvc_ddoctorv2"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"gupdate1ca3401ae7f86bf"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"41952:TCP"= 41952:TCP:mediaserver.exe

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.1.246\SymcPCCULaunchSvc.exe [12/29/2009 6:59 PM 123248]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe [12/29/2009 6:59 PM 126392]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
R3 N5SG;Airlink101 SuperG Wireless Network Adapter Service;c:\windows\system32\drivers\N5SG.sys [11/3/2006 2:30 PM 467040]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/25/2009 8:14 AM 18560]
S4 gupdate1ca3401ae7f86bf;Google Update Service (gupdate1ca3401ae7f86bf);c:\program files\Google\Update\GoogleUpdate.exe [9/12/2009 5:35 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-12 23:35]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2009-05-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-07 19:23]

2010-01-02 c:\windows\Tasks\Norton Security Scan for Dj Atomix.job
- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-12-30 01:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 10:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.1.246\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.1.246\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2349773983-2153283688-2792327734-1006\r*Xw*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Running"=dword:00000001
DUMPHIVE0.003 (REGF)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3196)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-10 10:31:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 16:31
ComboFix2.txt 2010-01-09 01:33
ComboFix3.txt 2010-01-08 01:04
ComboFix4.txt 2010-01-07 02:24

Pre-Run: 68,063,723,520 bytes free
Post-Run: 68,083,048,448 bytes free

- - End Of File - - 6E43ECEE252992ABC2951E8598D72AF5




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users