Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo, search engine redirects, etc.


  • This topic is locked This topic is locked
22 replies to this topic

#1 fuzzyfishy

fuzzyfishy

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 22 January 2010 - 02:42 AM

I have a desktop computer running Windows XP Media Center Edition Version 2002 Service Pack 3.
For the past few months I have been dealing with some virus, trojan, rootkit, infection etc. thing on my computer. At different times I have experienced the following symptoms/indications:
  • Antivirus Live pop ups, security warnings, etc.
  • random audio playing in the background without any player running (usually commercials)
  • pop-ups
  • search engine results being redirected when clicked on
  • not being able to use IE at all
  • not being able to install or run programs such as MBAM and MSE
  • websites showing up in my history that I never visited
  • could not run computer in safe mode
  • these types are always in my history:
    file:///C:/Documents%2520and%2520Settings/HP_Administrator/Local%2520Settings/Temp/STS9.tmp
    file:///C:/Documents%2520and%2520Settings/HP_Administrator/Local%2520Settings/Temp/STSA.tmp
After coming to this forum last week, I have received help and information, which led to IE working again and I installed and ran MBAM, SAS, and other scans. After a few days, it seemed like the scans couldn't find anything else, but recently some symptoms are showing up again:
search engine results are redirected
pop ups
and every time I start the computer and open history, a few of these files will be there:
file:///C:/Documents%2520and%2520Settings/HP_Administrator/Local%2520Settings/Temp/STS11.tmp
file:///C:/Documents%2520and%2520Settings/HP_Administrator/Local%2520Settings/Temp/STS12.tmp

One other thing: I thought I would mention this too, but I haven't read anyone else on this forum mention this problem/change, so I don't know if it will make any sense/matter/is totally accurate. But since more information is better than less, here goes:
Another thing that I noticed started after I originally got this virus, trojan, infection thing is a couple small changes to when my computer starts up every time. I'm not good at explaining this, but here's my attempt:
First there's the blue screen "HP Invent" with Esc=Boot Menu, F1, F10 at the bottom (normal), then a black screen for a second with an underscore cursor blinking at the top left of the screen and then it moves down the screen a couple of spaces (I think this screen is new), then a screen a lot like the screen that comes up after pressing F8 at the beginning and selecting Safe Mode, etc.
This is exactly what the screen shows: It's black with the text:
"Please select the operating system to start:

Windows XP Media Center Edition
Microsoft Windows Recovery Console

Use the up and down arrow keys to move the highlight to your choice.
Press ENTER to choose.
Seconds until highlighted choice will be started automatically: 0




For troubleshooting and advanced startup options for Windows, press F8."

But this screen shows up for a second everytime the computer starts up without me pressing F8 or anything else, and I'm 98% sure it started after I got this virus.
After that screen, then the Microsoft Windows XP screen for a few seconds (normal), and then the "Log On to Windows" box (for username and password) screen (normal).

This may not matter, so it is not a top priority to figure it out/fix it. I just thought I would mention it while describing all the other things going on with my computer since I got this virus thing. Please let me know any thoughts on it though, as I am curious about it.


So I have been advised to run HJT/DDS and post it here. I am really, really hoping to get the original, deep rooted, hidden infection out of my computer, and get it all clean and clear. I appreciate all the help I can get. Thank you. I will wait for a response.

Here are the logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 0:40:09.98 on Fri 01/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.516 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: milokira.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: hireteniw - {fad3db77-7f7f-4ff7-854d-96a2d291e3d7} - No File
STS: {fad3db77-7f7f-4ff7-854d-96a2d291e3d7} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli jabihoju.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\86tw9cyj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [2009-5-11 21504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S1 mpzleuhs;mpzleuhs;\??\c:\windows\system32\drivers\mpzleuhs.sys --> c:\windows\system32\drivers\mpzleuhs.sys [?]
S1 tjljdssi;tjljdssi;\??\c:\windows\system32\drivers\tjljdssi.sys --> c:\windows\system32\drivers\tjljdssi.sys [?]

=============== Created Last 30 ================

2010-01-19 22:10:40 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-16 15:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-16 15:48:45 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 15:48:45 0 d-----w- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2010-01-16 15:48:09 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-16 06:59:57 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-14 21:14:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 21:14:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 21:14:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 20:03:15 0 d--h--w- c:\windows\PIF
2010-01-08 23:55:26 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-08 23:55:23 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-08 03:22:21 0 d-----w- C:\3c8ddba094fb7fd6b18d75e9e9
2010-01-07 19:15:49 0 ----a-w- c:\documents and settings\hp_administrator\settings.dat
2010-01-06 20:14:52 0 d-----w- C:\b2a6ae9d30848f1b658a45
2010-01-06 20:11:49 0 d-----w- c:\windows\pss
2010-01-06 20:04:03 0 d-----w- C:\b6b6ee2ffb6433c078e5419bce1482
2010-01-06 18:05:06 0 d-----w- C:\b66a0401de4a205ab93b2d5634dc4d
2010-01-06 17:43:21 0 d-----w- C:\18d696b4e707fb18d8
2010-01-06 17:37:14 0 d-----w- C:\4a7fbb3f1bc15ad0ab5e65
2009-12-29 21:23:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-12-29 21:23:08 411368 ----a-w- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 06:03:14 130971 ----a-w- c:\windows\hpoins12.dat
2009-12-29 21:22:44 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-29 19:41:36 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 16:17:22 1430 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-11-18 17:26:00 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
2009-10-28 14:40:47 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

============= FINISH: 0:41:46.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 28 January 2010 - 08:43 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 29 January 2010 - 08:44 PM

Yes, I would still like some help please. Thank you for the reply. I understand the wait. smile.gif

At the moment, I can't run MBAM (it shows the 'Missing Shortcut' pop-up when I click on the icon), and I can't run the computer in safe mode (I have done the SAS "Repair broken SafeBoot key" thing, but it doesn't seem to fix it).

Here are the three logs (Attach and RootRepeal logs are attachments, is that how you would always like them, or put in the post?)

DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 19:14:16.95 on Fri 01/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.212 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: zozefebe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: hireteniw - {fad3db77-7f7f-4ff7-854d-96a2d291e3d7} - No File
SSODL: dapuruwuj - {039a0385-fa79-489d-9ab6-7d3991628aae} - No File
STS: {fad3db77-7f7f-4ff7-854d-96a2d291e3d7} - No File
STS: {039a0385-fa79-489d-9ab6-7d3991628aae} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli jabihoju.dll vufosesa.dll tusubiku.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\86tw9cyj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [2009-5-11 21504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S1 irgshvyq;irgshvyq;\??\c:\windows\system32\drivers\irgshvyq.sys --> c:\windows\system32\drivers\irgshvyq.sys [?]
S1 mpzleuhs;mpzleuhs;\??\c:\windows\system32\drivers\mpzleuhs.sys --> c:\windows\system32\drivers\mpzleuhs.sys [?]
S1 olplmevp;olplmevp;\??\c:\windows\system32\drivers\olplmevp.sys --> c:\windows\system32\drivers\olplmevp.sys [?]
S1 xxnhjedl;xxnhjedl;\??\c:\windows\system32\drivers\xxnhjedl.sys --> c:\windows\system32\drivers\xxnhjedl.sys [?]

=============== Created Last 30 ================

2010-01-23 00:56:24 0 d-----w- C:\d6b8f5b9ba701d5f16c6f3d2c9d1e2
2010-01-19 22:10:40 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-16 15:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-16 15:48:45 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 15:48:45 0 d-----w- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2010-01-16 15:48:09 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-16 06:59:57 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-14 21:14:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 21:14:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 21:14:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 20:03:15 0 d--h--w- c:\windows\PIF
2010-01-08 23:55:26 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-08 23:55:23 6435 ----a-w- c:\windows\system32\WORK.DAT
2010-01-08 03:22:21 0 d-----w- C:\3c8ddba094fb7fd6b18d75e9e9
2010-01-07 19:15:49 0 ----a-w- c:\documents and settings\hp_administrator\settings.dat
2010-01-06 20:14:52 0 d-----w- C:\b2a6ae9d30848f1b658a45
2010-01-06 20:11:49 0 d-----w- c:\windows\pss
2010-01-06 20:04:03 0 d-----w- C:\b6b6ee2ffb6433c078e5419bce1482
2010-01-06 18:05:06 0 d-----w- C:\b66a0401de4a205ab93b2d5634dc4d
2010-01-06 17:43:21 0 d-----w- C:\18d696b4e707fb18d8
2010-01-06 17:37:14 0 d-----w- C:\4a7fbb3f1bc15ad0ab5e65

==================== Find3M ====================

2010-01-23 02:20:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 06:03:14 130971 ----a-w- c:\windows\hpoins12.dat
2009-12-29 21:22:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-29 21:22:44 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-03 16:17:22 1430 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-11-18 17:26:00 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
1601-01-01 00:03:28 61952 --sha-w- c:\windows\system32\guwazewu.dll
1601-01-01 00:03:52 56320 --sha-w- c:\windows\system32\pemewoma.dll
1601-01-01 00:03:52 56320 --sha-w- c:\windows\system32\tusubiku.dll
1601-01-01 00:03:52 56320 --sha-w- c:\windows\system32\zozefebe.dll

============= FINISH: 19:15:31.34 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 29 January 2010 - 11:28 PM

Hello.

Thanks for those logs.

We are going to start with Combofix. I see a few infections there particularly vundo.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 30 January 2010 - 05:49 PM

At some point during the scan the computer restarted, but once it did, Combofix opened automatically and continued to run. Would you like for me to run it again?


ComboFix 10-01-29.09 - HP_Administrator 01/30/2010 17:10:24.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.560 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\program files\Internet Explorer\SET1CB.tmp
c:\program files\Internet Explorer\SET1D0.tmp
c:\program files\Internet Explorer\SET1E3.tmp
c:\program files\Internet Explorer\SET1E8.tmp
c:\program files\Internet Explorer\SET209.tmp
c:\program files\Internet Explorer\SET20E.tmp
c:\program files\Internet Explorer\SET22F.tmp
c:\program files\Internet Explorer\SET234.tmp
c:\program files\Internet Explorer\SET255.tmp
c:\program files\Internet Explorer\SET25A.tmp
c:\program files\Internet Explorer\SET27B.tmp
c:\program files\Internet Explorer\SET280.tmp
c:\program files\Internet Explorer\SET2A1.tmp
c:\program files\Internet Explorer\SET2A6.tmp
c:\program files\Internet Explorer\SET34C.tmp
c:\program files\Internet Explorer\SET351.tmp
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\kb913800.exe
c:\windows\system32\ps2.bat
c:\windows\system32\tusubiku.dll
c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat
c:\windows\system32\zozefebe.dll
c:\windows\Tasks\lwmadmei.job
c:\windows\Tasks\qoicoenb.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.

2010-01-25 14:58 . 2010-01-26 15:55 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\knbivc
2010-01-23 00:56 . 2010-01-23 02:24 -------- d-----w- C:\d6b8f5b9ba701d5f16c6f3d2c9d1e2
2010-01-20 03:52 . 2010-01-20 03:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-19 22:10 . 2010-01-19 22:10 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-16 15:49 . 2010-01-16 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-16 15:48 . 2010-01-16 15:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 15:48 . 2010-01-16 15:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-01-16 15:48 . 2010-01-16 15:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-16 06:59 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-14 21:14 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 21:14 . 2010-01-22 05:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 21:14 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 20:03 . 2010-01-14 20:03 -------- d--h--w- c:\windows\PIF
2010-01-14 18:15 . 2010-01-16 19:29 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\lrlelp
2010-01-11 16:21 . 2010-01-16 06:35 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ficwwl
2010-01-09 21:31 . 2010-01-09 21:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-08 03:22 . 2010-01-08 03:33 -------- d-----w- C:\3c8ddba094fb7fd6b18d75e9e9
2010-01-07 19:15 . 2010-01-07 19:15 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2010-01-06 20:14 . 2010-01-06 20:23 -------- d-----w- C:\b2a6ae9d30848f1b658a45
2010-01-06 20:04 . 2010-01-06 20:13 -------- d-----w- C:\b6b6ee2ffb6433c078e5419bce1482
2010-01-06 18:05 . 2010-01-06 18:06 -------- d-----w- C:\b66a0401de4a205ab93b2d5634dc4d
2010-01-06 17:43 . 2010-01-06 17:43 -------- d-----w- C:\18d696b4e707fb18d8
2010-01-06 17:37 . 2010-01-06 17:39 -------- d-----w- C:\4a7fbb3f1bc15ad0ab5e65

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 20:04 . 2009-10-20 17:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-28 19:25 . 2010-01-16 15:49 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-23 02:20 . 2004-08-09 21:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 04:26 . 2009-12-02 06:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 15:49 . 2010-01-16 15:49 52224 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 16:12 . 2009-12-14 01:48 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 06:03 . 2008-02-14 00:18 130971 ----a-w- c:\windows\hpoins12.dat
2009-12-29 21:22 . 2009-12-29 21:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-29 21:22 . 2006-03-28 09:44 -------- d-----w- c:\program files\Java
2009-12-29 21:21 . 2009-12-29 21:21 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-29 21:20 . 2009-12-29 21:20 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-23 14:15 . 2006-03-28 10:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-23 14:15 . 2006-03-28 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-15 02:50 . 2009-09-20 23:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2009-12-13 19:26 . 2009-12-13 19:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-12-13 19:25 . 2009-12-13 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 16:17 . 2006-06-04 16:58 1430 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-12-02 13:48 . 2006-03-28 10:20 52752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-02 13:40 . 2009-12-02 13:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-21 15:51 . 2004-08-09 21:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 17:26 . 2005-01-24 18:30 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\defupabo.dll
1601-01-01 00:03 . 1601-01-01 00:03 56320 --sha-w- c:\windows\system32\pemewoma.dll
.

------- Sigcheck -------

[-] 2010-01-23 02:20 . B8C5DB62C058D42FA711996A493C96D6 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-29 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-09 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c1a242b-e83f-4526-bb4e-e91d649004cf}]
1601-01-01 00:03 56320 --sha-w- c:\windows\system32\pemewoma.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-28 180269]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-3-28 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [5/11/2009 1:53 PM 21504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
S1 irgshvyq;irgshvyq;\??\c:\windows\system32\drivers\irgshvyq.sys --> c:\windows\system32\drivers\irgshvyq.sys [?]
S1 mpzleuhs;mpzleuhs;\??\c:\windows\system32\drivers\mpzleuhs.sys --> c:\windows\system32\drivers\mpzleuhs.sys [?]
S1 olplmevp;olplmevp;\??\c:\windows\system32\drivers\olplmevp.sys --> c:\windows\system32\drivers\olplmevp.sys [?]
S1 xxnhjedl;xxnhjedl;\??\c:\windows\system32\drivers\xxnhjedl.sys --> c:\windows\system32\drivers\xxnhjedl.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\86tw9cyj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-kemafiyugi - tusubiku.dll
SharedTaskScheduler-{fad3db77-7f7f-4ff7-854d-96a2d291e3d7} - (no file)
SharedTaskScheduler-{039a0385-fa79-489d-9ab6-7d3991628aae} - (no file)
SSODL-hireteniw-{fad3db77-7f7f-4ff7-854d-96a2d291e3d7} - (no file)
SSODL-dapuruwuj-{039a0385-fa79-489d-9ab6-7d3991628aae} - (no file)
MSConfigStartUp-settdebugx - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-01-30 17:36:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 22:36

Pre-Run: 167,624,675,328 bytes free
Post-Run: 168,618,696,704 bytes free

- - End Of File - - 922EA546BABEB677A4E347950B592520


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 30 January 2010 - 06:02 PM

Hello.

Nope that's fine. Combofix automatically reboots the machine usually upon it's run, so it should be fine.

One of the infection is a backdoor however.

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue, please follow the instructions below please...

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    File::
    c:\windows\system32\drivers\irgshvyq.sys
    c:\windows\system32\drivers\mpzleuhs.sys
    c:\windows\system32\drivers\olplmevp.sys
    c:\windows\system32\drivers\xxnhjedl.sys
    c:\windows\system32\defupabo.dll
    c:\windows\system32\pemewoma.dll
    Driver::
    irgshvyq
    mpzleuhs
    olplmevp
    xxnhjedl
    FCopy::
    c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
    DirLook::
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\knbivc
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post those logs in your next reply please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 30 January 2010 - 09:40 PM

Hi,

It looks like I want to reformat and reinstall. Can I get help with how to do that from this site/forum?
Also, I don't have any cds for this computer. Can I still reformat and reinstall? I'm sorry; I'm very clueless about all this.

Thanks smile.gif

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 30 January 2010 - 09:46 PM

Hello.

Unfortunately no. If you do not have the Windows CDs or any Recovery Disks available then that's not possible to format the disk and re-install windows again. Information on formatting/clean install of Windows XP: http://howtocleaninstall.com/windows/clean...all-windows-xp/ and http://michaelstevenstech.com/cleanxpinstall.html
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 30 January 2010 - 10:54 PM

Thank you for the links.

Alright then, I guess it is back to cleaning the computer. I'll run ComboFix now.

Two other questions:
1. If I had a system restore point that was previous to when I got the infection, could I use that and not have the infection anymore?
2. Which backdoor trojan do I have?

#10 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 30 January 2010 - 11:36 PM

Ok, after I dragged the CFScript icon into Combofix and ComboFix opened up, a window popped up stating
"There's a new version of ComboFix available
Would you like to update ComboFix?"
I clicked yes, and then ComboFix restarted. Then the same update window showed up and I cllicked yes again, and ComboFix restarted again. Then ComboFix seemed to run its scan. And again, at some point the computer restarted. Once the computer restarted, a window popped up titled "RUNDLL" stating
"Error loading tusubiku.dll

The specified module could not be found."


I'll now try to reinstall Malwarebytes Anti-Malware.


ComboFix 10-01-30.04 - HP_Administrator 01/30/2010 23:00:34.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.549 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\defupabo.dll"
"c:\windows\system32\drivers\irgshvyq.sys"
"c:\windows\system32\drivers\mpzleuhs.sys"
"c:\windows\system32\drivers\olplmevp.sys"
"c:\windows\system32\drivers\xxnhjedl.sys"
"c:\windows\system32\pemewoma.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\windows\system32\defupabo.dll
c:\windows\system32\pemewoma.dll

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_irgshvyq
-------\Service_mpzleuhs
-------\Service_olplmevp
-------\Service_xxnhjedl


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-31 )))))))))))))))))))))))))))))))
.

2010-01-25 14:58 . 2010-01-26 15:55 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\knbivc
2010-01-23 00:56 . 2010-01-23 02:24 -------- d-----w- C:\d6b8f5b9ba701d5f16c6f3d2c9d1e2
2010-01-20 03:52 . 2010-01-20 03:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-19 22:10 . 2010-01-19 22:10 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-16 15:49 . 2010-01-16 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-16 15:48 . 2010-01-16 15:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 15:48 . 2010-01-16 15:48 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2010-01-16 15:48 . 2010-01-16 15:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-16 06:59 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-14 21:14 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 21:14 . 2010-01-22 05:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 21:14 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 20:03 . 2010-01-14 20:03 -------- d--h--w- c:\windows\PIF
2010-01-14 18:15 . 2010-01-16 19:29 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\lrlelp
2010-01-11 16:21 . 2010-01-16 06:35 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\ficwwl
2010-01-09 21:31 . 2010-01-09 21:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-01-08 03:22 . 2010-01-08 03:33 -------- d-----w- C:\3c8ddba094fb7fd6b18d75e9e9
2010-01-07 19:15 . 2010-01-07 19:15 0 ----a-w- c:\documents and settings\HP_Administrator\settings.dat
2010-01-06 20:14 . 2010-01-06 20:23 -------- d-----w- C:\b2a6ae9d30848f1b658a45
2010-01-06 20:04 . 2010-01-06 20:13 -------- d-----w- C:\b6b6ee2ffb6433c078e5419bce1482
2010-01-06 18:05 . 2010-01-06 18:06 -------- d-----w- C:\b66a0401de4a205ab93b2d5634dc4d
2010-01-06 17:43 . 2010-01-06 17:43 -------- d-----w- C:\18d696b4e707fb18d8
2010-01-06 17:37 . 2010-01-06 17:39 -------- d-----w- C:\4a7fbb3f1bc15ad0ab5e65

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 20:04 . 2009-10-20 17:21 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-28 19:25 . 2010-01-16 15:49 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-21 04:26 . 2009-12-02 06:15 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 15:49 . 2010-01-16 15:49 52224 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 16:12 . 2009-12-14 01:48 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 06:03 . 2008-02-14 00:18 130971 ----a-w- c:\windows\hpoins12.dat
2009-12-29 21:22 . 2009-12-29 21:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-29 21:22 . 2006-03-28 09:44 -------- d-----w- c:\program files\Java
2009-12-29 21:21 . 2009-12-29 21:21 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-29 21:20 . 2009-12-29 21:20 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-23 14:15 . 2006-03-28 10:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-23 14:15 . 2006-03-28 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-15 02:50 . 2009-09-20 23:34 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2009-12-13 19:26 . 2009-12-13 19:26 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-12-13 19:25 . 2009-12-13 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-03 16:17 . 2006-06-04 16:58 1430 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2009-12-02 13:48 . 2006-03-28 10:20 52752 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-02 13:40 . 2009-12-02 13:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-21 15:51 . 2004-08-09 21:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-18 17:26 . 2005-01-24 18:30 139264 ----a-w- c:\windows\system32\hpzjrd01.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\HP_Administrator\Local Settings\Application Data\knbivc ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-03-28 180269]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"kemafiyugi"="tusubiku.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-3-28 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\msconfig.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [5/11/2009 1:53 PM 21504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\86tw9cyj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{7c1a242b-e83f-4526-bb4e-e91d649004cf} - pemewoma.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-30 23:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1120)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ARPWRMSG.EXE
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-01-30 23:18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-31 04:18
ComboFix2.txt 2010-01-30 22:36

Pre-Run: 168,518,316,032 bytes free
Post-Run: 168,519,557,120 bytes free

- - End Of File - - 35844911397C99BAF5243B3324B5DA6B


#11 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 31 January 2010 - 12:02 AM

Malwarebytes' Anti-Malware 1.44
Database version: 3665
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/31/2010 12:00:01 AM
mbam-log-2010-01-31 (00-00-01).txt

Scan type: Quick Scan
Objects scanned: 124004
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kemafiyugi (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 31 January 2010 - 12:59 PM

System Restore point won't remove it. One of the infection you had relating to the backdoor was TDL3.

That error you got was due to a registry key not removed that came back. Malwarebytes removed it though, so it should be good now.

Let's get an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 01 February 2010 - 10:00 AM

I ran the scan yesterday, but on the Kaspersky page it stated to deactivate antivirus software before running the scan, so I turned off MSE real-time protection. The scan took a long time, and when I came back there was another rogue anti-spyware program on my computer (a different one from Antivirus Live, this one I haven't seen on my computer before). So I tried to click on the view scan report button, but the internet explorer wasn't responding. I turned on MSE real-time protection and it removed these two things:
Trojan:JS/Redirector.BT
Exploit:Win32/Pdfjsc.CR

and I ran an MBAM quick scan. Here's the log

Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phywpicc (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\phywpicc (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Then I ran Kaspersky again, but this time I left MSE real-time protection on (let me know if you want me to run it again with it turned off). The scan seemed to not be affected by it, and here is the report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, February 01, 2010 06:38:35
Records in database: 3393530


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics
Objects scanned 193338
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 04:34:05

File name Threat Threats count
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\23\40d74897-5bb485a3 Infected: Trojan-Downloader.Java.Agent.ab 1

Selected area has been scanned.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 01 February 2010 - 01:11 PM

Hello.

Seems fine, that's just a Java cache we can deal with later. You can delete it manually yourself too.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 fuzzyfishy

fuzzyfishy
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:55 AM

Posted 02 February 2010 - 11:56 AM

I manually deleted C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\23\40d74897-5bb485a3 .

Here are the DDS and Attach logs (Attach log is in the post and as an attachment). Beneath them is an MBAM full scan log I ran yesterday, and it seemed to find more stuff.

Still, everytime I start the computer and open an internet explorer browser window, there are a couple of these in the most recent history:
file:///C:/Documents%2520and%2520Settings/HP_Administrator/Local%2520Settings/Temp/STS7.tmp
file:///C:/Documents%2520and%2520Settings/HP_Administrator/Local%2520Settings/Temp/STS8.tmp
Do you know what those are about?

There are no pop-ups yesterday or today so far, so that's good. It does though seem like the computer runs a little slower than it did before it got the infection.


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 11:20:05.76 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.517 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CPrintEnhancer Object: {ae84a6aa-a333-4b92-b276-c11e2212e4fe} - c:\program files\hp\smart web printing\SmartWebPrinting.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\86tw9cyj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\JakNDis.sys [2009-5-11 21504]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-01-31 04:50:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-31 04:50:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-30 22:09:38 98816 ----a-w- c:\windows\sed.exe
2010-01-30 22:09:38 77312 ----a-w- c:\windows\MBR.exe
2010-01-30 22:09:38 261632 ----a-w- c:\windows\PEV.exe
2010-01-30 22:09:38 161792 ----a-w- c:\windows\SWREG.exe
2010-01-23 00:56:24 0 d-----w- C:\d6b8f5b9ba701d5f16c6f3d2c9d1e2
2010-01-19 22:10:40 0 d-----w- c:\program files\Microsoft Security Essentials
2010-01-16 15:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-01-16 15:48:45 0 d-----w- c:\program files\SUPERAntiSpyware
2010-01-16 15:48:45 0 d-----w- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2010-01-16 15:48:09 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-01-16 06:59:57 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-14 21:14:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 20:03:15 0 d--h--w- c:\windows\PIF
2010-01-08 03:22:21 0 d-----w- C:\3c8ddba094fb7fd6b18d75e9e9
2010-01-07 19:15:49 0 ----a-w- c:\documents and settings\hp_administrator\settings.dat
2010-01-06 20:14:52 0 d-----w- C:\b2a6ae9d30848f1b658a45
2010-01-06 20:11:49 0 d-----w- c:\windows\pss
2010-01-06 20:04:03 0 d-----w- C:\b6b6ee2ffb6433c078e5419bce1482
2010-01-06 18:05:06 0 d-----w- C:\b66a0401de4a205ab93b2d5634dc4d
2010-01-06 17:43:21 0 d-----w- C:\18d696b4e707fb18d8
2010-01-06 17:37:14 0 d-----w- C:\4a7fbb3f1bc15ad0ab5e65

==================== Find3M ====================

2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-09 06:03:14 130971 ----a-w- c:\windows\hpoins12.dat
2009-12-29 21:22:46 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-03 16:17:22 1430 ----a-w- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-11-18 17:26:00 139264 ----a-w- c:\windows\system32\hpzjrd01.dll

============= FINISH: 11:20:59.73 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/3/2006 9:28:42 PM
System Uptime: 2/2/2010 11:04:03 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | Onyx2
Processor: Intel® Celeron® M processor 1.70GHz | CPU 1 | 1697/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 156.536 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 0.422 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {7D2BA5A7-3892-44EB-95FD-EC7336FD7164}
Description: MS ArACPI Driver
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer: Microsoft
Name: MS ArACPI Driver
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service: aracpi

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Microsoft Kernel Acoustic Echo Canceller
Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Manufacturer: Microsoft
Name: Microsoft Kernel Acoustic Echo Canceller
PNP Device ID: SW\{4245FF73-1DB4-11D2-86E4-98AE20524153}\{9B365890-165F-11D0-A195-0020AFD156E4}
Service: aec

==== System Restore Points ===================

RP103: 11/4/2009 11:12:43 PM - Software Distribution Service 3.0
RP104: 11/8/2009 12:57:56 PM - System Checkpoint
RP105: 11/12/2009 9:32:45 AM - Software Distribution Service 3.0
RP106: 11/13/2009 10:13:47 AM - System Checkpoint
RP107: 11/14/2009 5:50:48 PM - System Checkpoint
RP108: 11/16/2009 11:18:42 AM - System Checkpoint
RP109: 11/18/2009 12:29:51 PM - Installed HP Product Assistant
RP110: 11/18/2009 12:30:29 PM - Installed 32 Bit HP CIO Components Installer
RP111: 11/18/2009 12:31:10 PM - Removed 32 Bit HP CIO Components Installer
RP112: 11/19/2009 4:28:28 PM - Software Distribution Service 3.0
RP113: 11/20/2009 5:09:29 PM - System Checkpoint
RP114: 11/24/2009 10:02:21 AM - System Checkpoint
RP115: 11/25/2009 10:49:44 AM - System Checkpoint
RP116: 11/25/2009 11:48:49 PM - Software Distribution Service 3.0
RP117: 11/26/2009 10:35:04 PM - Installed Windows Internet Explorer 8.
RP118: 11/26/2009 10:49:24 PM - Software Distribution Service 3.0
RP119: 11/27/2009 6:37:39 AM - Software Distribution Service 3.0
RP120: 11/29/2009 9:59:29 AM - System Checkpoint
RP121: 11/30/2009 11:34:17 AM - System Checkpoint
RP122: 12/1/2009 2:28:53 PM - System Checkpoint
RP123: 12/2/2009 8:38:04 AM - Software Distribution Service 3.0
RP124: 12/3/2009 8:51:32 AM - System Checkpoint
RP125: 12/3/2009 11:31:56 AM - Software Distribution Service 3.0
RP126: 12/4/2009 2:12:52 PM - System Checkpoint
RP127: 12/5/2009 8:51:58 PM - System Checkpoint
RP128: 12/6/2009 3:43:24 PM - Installed Windows Internet Explorer 8.
RP129: 12/6/2009 4:11:40 PM - Software Distribution Service 3.0
RP130: 12/7/2009 3:00:24 AM - Software Distribution Service 3.0
RP131: 12/8/2009 3:35:12 AM - System Checkpoint
RP132: 12/9/2009 10:47:02 AM - Software Distribution Service 3.0
RP133: 12/10/2009 10:55:36 AM - System Checkpoint
RP134: 12/11/2009 11:08:52 AM - System Checkpoint
RP135: 12/11/2009 11:32:01 PM - Software Distribution Service 3.0
RP136: 12/13/2009 2:14:04 AM - System Checkpoint
RP137: 12/13/2009 9:36:03 PM - Software Distribution Service 3.0
RP138: 12/15/2009 10:32:59 AM - Software Distribution Service 3.0
RP139: 12/22/2009 7:14:49 PM - System Checkpoint
RP140: 12/23/2009 9:05:47 AM - Configured easy Internet sign-up
RP141: 12/23/2009 9:25:11 AM - Software Distribution Service 3.0
RP142: 12/29/2009 12:21:40 PM - Software Distribution Service 3.0
RP143: 12/29/2009 12:30:31 PM - Software Distribution Service 3.0
RP144: 12/29/2009 2:27:28 PM - Microsoft Antimalware Checkpoint
RP145: 12/29/2009 4:22:38 PM - Installed Java™ 6 Update 17
RP146: 1/3/2010 8:59:05 PM - Software Distribution Service 3.0
RP147: 1/5/2010 3:04:13 AM - System Checkpoint
RP148: 1/6/2010 12:28:04 AM - Software Distribution Service 3.0
RP149: 1/6/2010 11:40:27 AM - Microsoft Antimalware Checkpoint
RP150: 1/6/2010 10:21:53 PM - Software Distribution Service 3.0
RP151: 1/8/2010 3:23:58 AM - System Checkpoint
RP152: 1/11/2010 2:20:29 PM - System Checkpoint
RP153: 1/16/2010 2:10:42 AM - Software Distribution Service 3.0
RP154: 1/16/2010 10:48:44 AM - Installed SUPERAntiSpyware Free Edition
RP155: 1/18/2010 2:03:32 AM - System Checkpoint
RP156: 1/19/2010 5:18:00 PM - Software Distribution Service 3.0
RP157: 1/19/2010 8:16:28 PM - Microsoft Antimalware Checkpoint
RP158: 1/19/2010 8:19:12 PM - Software Distribution Service 3.0
RP159: 1/20/2010 11:24:24 AM - Software Distribution Service 3.0
RP160: 1/20/2010 3:54:10 PM - Software Distribution Service 3.0
RP161: 1/21/2010 12:47:36 PM - Software Distribution Service 3.0
RP162: 1/22/2010 12:27:49 AM - Software Distribution Service 3.0
RP163: 1/22/2010 5:34:09 PM - Cleaned registry with Windows Live OneCare safety scanner
RP164: 1/22/2010 5:47:32 PM - Microsoft Antimalware Checkpoint
RP165: 1/23/2010 6:23:07 PM - System Checkpoint
RP166: 1/24/2010 5:04:49 AM - Microsoft Antimalware Checkpoint
RP167: 1/25/2010 9:59:04 AM - Microsoft Antimalware Checkpoint
RP168: 1/26/2010 2:13:40 PM - System Checkpoint
RP169: 1/27/2010 4:33:42 PM - System Checkpoint
RP170: 1/28/2010 5:16:00 PM - System Checkpoint
RP171: 1/28/2010 10:22:11 PM - Microsoft Antimalware Checkpoint
RP172: 1/29/2010 11:05:21 PM - System Checkpoint
RP173: 1/30/2010 2:50:14 PM - Microsoft Antimalware Checkpoint
RP174: 1/30/2010 5:38:43 PM - Software Distribution Service 3.0
RP175: 1/30/2010 11:22:42 PM - Software Distribution Service 3.0
RP176: 1/31/2010 1:31:02 AM - Software Distribution Service 3.0
RP177: 1/31/2010 12:14:26 PM - Software Distribution Service 3.0
RP178: 2/1/2010 1:30:49 AM - Microsoft Antimalware Checkpoint
RP179: 2/1/2010 1:35:19 AM - Software Distribution Service 3.0
RP180: 2/1/2010 10:01:35 AM - Software Distribution Service 3.0
RP181: 2/2/2010 11:12:40 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
AIO_Scan
AiOSoftware
AiOSoftwareNPI
Apple Application Support
Apple Software Update
BufferChm
CameraDrivers
Copy
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Customer Experience Enhancement
CustomerResearchQFolder
Data Fax SoftModem with SmartCP
Destinations
DeviceManagementQFolder
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
DocProc
DocumentViewer
DocumentViewerQFolder
Enhanced Multimedia Keyboard Solution
eSupportQFolder
F4100
F4100_Help
Fax
Fax_CDA
FullDPAppQFolder
GemMaster Mystic
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Boot Optimizer
HP Customer Participation Program 8.0
HP Deskjet All-In-One Software 8.0
HP Deskjet Printer Preload
HP Document Viewer 5.3
HP DVD Play 1.0
HP Imaging Device Functions 8.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 5.0
HP Photosmart Essential
HP Photosmart for Media Center PC
HP Photosmart Premier Software 6.0
HP Product Assistant
HP PSC & OfficeJet 5.3.A
HP PSC & OfficeJet 5.3.B
HP Smart Web Printing 1.0
HP Solution Center 8.0
HP Update
HP Web Helper
HPProductAssistant
HpSdpAppCoreApp
InstantShareDevices
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
J2SE Runtime Environment 5.0 Update 5
Java™ 6 Update 17
LightScribe 1.4.62.1
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Away Mode
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office Standard Edition 2003
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
muvee autoProducer 4.5
muvee autoProducer unPlugged 1.2
Netscape Browser (remove only)
NewCopy
NewCopy_CDA
OpenAL
OptionalContentQFolder
Otto
PC-Doctor 5 for Windows
PhotoGallery
PS2
PSPrinters08
PSTAPlugin
Puzzle Quest
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
QuickTime
RandMap
RealPlayer
Realtek High Definition Audio Driver
Remove IntelliMover Demo
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SkinsHP1
SolutionCenter
Sonic Express Labeler
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Status
Streaming Media Recorder
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP (remove only)
VLC media player 1.0.1
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

2/1/2010 7:44:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2 iaStor IntelIde ViaIde
2/1/2010 1:20:41 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.75.181.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5406.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/1/2010 1:09:21 AM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
1/30/2010 7:46:10 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.75.168.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5406.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/30/2010 2:48:42 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.75.94.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5406.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/28/2010 2:56:49 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.75.94.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5406.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/28/2010 2:29:34 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.73.80.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5405.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/28/2010 2:29:09 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.73.80.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5405.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/28/2010 11:13:09 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
1/27/2010 6:45:22 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.73.80.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5405.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/27/2010 6:36:31 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2
1/27/2010 6:34:57 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
1/27/2010 5:41:38 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/26/2010 11:07:47 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.73.80.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.5405.0 Error code: 0x80070422 Error description: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/26/2010 10:55:23 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ARSVC service.

==== End Of File ===========================




Malwarebytes' Anti-Malware 1.44
Database version: 3670
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/1/2010 7:29:38 PM
mbam-log-2010-02-01 (19-29-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 308357
Time elapsed: 2 hour(s), 7 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\pemewoma.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tusubiku.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zozefebe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP173\A0046677.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP173\A0046678.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP173\A0046716.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP173\A0046744.com (Adware.Swizzor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0046796.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0046833.com (Adware.Swizzor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0046865.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0046902.com (Adware.Swizzor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0046951.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0047048.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP174\A0047076.com (Adware.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users