Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DCOM Server Process Launcher terminates


  • This topic is locked This topic is locked
25 replies to this topic

#1 jonzy28

jonzy28

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 26 January 2010 - 02:16 AM

While repairing a friend's PC I installed an up to date AV and removed a virus that was found but the remianing problem is that the PC keeps rebooting after about 20 mins due to DCOM Server Process Launcher problem. I have used the shutdown -a from the command prompt to halt it from rebooting while I work to resolve the issue. There seems to be some sort of browser hijack object working as well because while doing searches in Google to locate info to resolve, when I would click on a link it would carry me to sites other than what I chose. I have included a copy of my HiJackThis log. Your assistance is much appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:43 PM, on 1/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\fred ray\Local Settings\Temporary Internet Files\Content.IE5\0HUNA22S\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/bellsouth/s/s.dll?spage=...amp;ck=&ck=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg&...;os=5&src=1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\fred ray\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O15 - Trusted Zone: http://my.magicjack.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8942.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...639/mcfscan.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca121c7b6dc57a) (gupdate1ca121c7b6dc57a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

BC AdBot (Login to Remove)

 


#2 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 26 January 2010 - 02:41 AM

After reading the instructions for posting more carefully I have included my DDS and RootRepeal logs as requested as well.


DDS (Ver_09-12-01.01) - NTFSx86
Run by fred ray at 2:25:58.10 on Tue 01/26/2010
Internet Explorer: 8.0.6001.18702
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/bellsouth/s/s.dll?spage=hb/index.htm&ck=&ck=
uInternet Connection Wizard,ShellNext = hxxp://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4421001&ctry=00000409&os=5&src=1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [cdloader] "c:\documents and settings\fred ray\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [LXCECATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCEtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\fredra~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: magicjack.com\my
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5639/mcfscan.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-01-23 01:21:27 0 d-----w- c:\program files\Defraggler
2010-01-22 21:41:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-21 21:20:18 882 ----a-w- c:\windows\RegSDImport.xml
2010-01-21 21:20:18 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-21 21:20:18 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-21 21:20:18 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 21:20:18 131 ----a-w- c:\windows\IDB.zip
2010-01-21 21:20:17 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 21:20:17 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 21:20:17 1152444 ----a-w- c:\windows\UDB.zip
2010-01-21 20:58:36 0 d-----w- c:\program files\Spyware Doctor
2010-01-21 20:58:36 0 d-----w- c:\program files\common files\PC Tools
2010-01-21 20:58:36 0 d-----w- c:\docume~1\fredra~1\applic~1\PC Tools
2010-01-21 20:58:36 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-21 02:59:17 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-21 02:57:22 0 d-----w- c:\program files\CCleaner
2010-01-21 02:52:53 0 d-----w- c:\program files\BellSouth
2010-01-21 02:52:11 0 d-----w- c:\program files\att-prt22
2010-01-21 02:50:00 0 d-----w- c:\program files\Trusteer
2010-01-21 02:50:00 0 d-----w- c:\program files\Support.com
2010-01-21 02:40:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 21:05:53 164 ----a-w- c:\windows\install.dat
2010-01-19 22:30:29 243024 ----a-w- c:\windows\system32\LSPInstall.dll
2010-01-19 22:30:29 111960 ----a-w- c:\windows\system32\INetHTTPFilter.dll
2010-01-13 08:18:33 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-26 00:14:56 1530144 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-23 23:56:37 144260 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-19 12:20:29 539492 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-19 12:20:29 40201760 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-25 06:09:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 2:27:55.42 ===============


Attached Files



#3 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:04:09 AM

Posted 02 February 2010 - 12:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#4 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 03 February 2010 - 01:50 PM

As requested I have run the DDS script again and the logs are posted below.


DDS (Ver_09-12-01.01) - NTFSx86
Run by fred ray at 13:44:53.60 on Wed 02/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1384 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Webshots\webshots.scr
svchost.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\fred ray\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4421001&ctry=00000409&os=5&src=1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [cdloader] "c:\documents and settings\fred ray\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [LXCECATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCEtime.dll,_RunDLLEntry@16
StartupFolder: c:\docume~1\fredra~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: magicjack.com\my
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5639/mcfscan.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-22 163280]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-15 186128]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-11-1 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-11-1 334440]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-1-29 1858144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-22 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]
R2 ZeppelinService;plasservice;c:\program files\common files\paretologic\plas\plasservice.exe [2009-1-14 587216]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-22 40384]
S2 gupdate1ca121c7b6dc57a;Google Update Service (gupdate1ca121c7b6dc57a);c:\program files\google\update\GoogleUpdate.exe [2009-7-31 133104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-11-1 972008]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 DVSAudio;DVS USB Audio Filter Driver (WDM);c:\windows\system32\drivers\DVSAudio.sys [2006-10-29 14864]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-8 38224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 SPCA506AV;DVS Video;c:\windows\system32\drivers\DVS.SYS [2006-10-29 161669]

=============== Created Last 30 ================

2010-01-30 00:52:53 0 d-----w- c:\program files\a-squared Free
2010-01-27 16:20:20 0 d-----w- c:\program files\Defraggler
2010-01-22 21:41:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-01-21 21:20:18 882 ----a-w- c:\windows\RegSDImport.xml
2010-01-21 21:20:18 880 ----a-w- c:\windows\RegISSImport.xml
2010-01-21 21:20:18 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-21 21:20:18 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 21:20:18 131 ----a-w- c:\windows\IDB.zip
2010-01-21 21:20:17 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 21:20:17 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 21:20:17 1152444 ----a-w- c:\windows\UDB.zip
2010-01-21 20:58:36 0 d-----w- c:\program files\Spyware Doctor
2010-01-21 20:58:36 0 d-----w- c:\program files\common files\PC Tools
2010-01-21 20:58:36 0 d-----w- c:\docume~1\fredra~1\applic~1\PC Tools
2010-01-21 20:58:36 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-01-21 02:59:17 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-21 02:57:22 0 d-----w- c:\program files\CCleaner
2010-01-21 02:52:53 0 d-----w- c:\program files\BellSouth
2010-01-21 02:52:11 0 d-----w- c:\program files\att-prt22
2010-01-21 02:50:00 0 d-----w- c:\program files\Trusteer
2010-01-21 02:50:00 0 d-----w- c:\program files\Support.com
2010-01-21 02:40:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 21:05:53 164 ----a-w- c:\windows\install.dat
2010-01-19 22:30:29 243024 ----a-w- c:\windows\system32\LSPInstall.dll
2010-01-19 22:30:29 111960 ----a-w- c:\windows\system32\INetHTTPFilter.dll
2010-01-13 08:18:33 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-03 09:53:32 1583904 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-03 05:56:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-03 05:56:14 147980 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-19 12:20:29 539492 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-19 12:20:29 40201760 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-25 06:09:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102520081026\index.dat

============= FINISH: 13:45:32.57 ===============


As instructed within the Attach.txt logfile I did not submit it but did save it to my desktop for use later if requested.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 05 February 2010 - 10:20 AM

Hi jonzy28,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. I have read your post about the issue when you started the topic. Please update me with a description of the current problem.

  2. Also attach the Attach.txt to your reply.

  3. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
      • Sections
      • IAT/EAT
      • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
      • Show All (this one also should be unchecked)
    • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
    • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
    • Save the file as gmer.log and copy/paste the contents in your next reply.


#6 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 05 February 2010 - 11:04 AM

Initially I continue to get an error noting that the DCOM Server Process launcher terminated unexpectedly and it shows a timer that allows me to shut down or saev any work before the system reboots and it will continue doing so roughly after about 20 minutes running. I found support online that directed me to go to Start/Run and tyope in "shutdown -a" to disble the shutdown so that I would be able to work on it. Secondly in trying to click on links found in Google for help, it would carry to random sites that would appear to be spam sites unless I right-clicked and selected "open in new tab". I am posting my attach.txt log along with my reply. Since I had toyed with things a bit in waiting for a response I am going to run the DDS again and post the logs as well.


Attached File  DDS.zip   3.68KB   10 downloads

I am now disconnecting from the internet and will run the GMER scanner, reconnect and post that log as well.

Edited by farbar, 05 February 2010 - 11:08 AM.
Removed the unneeded log.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 05 February 2010 - 11:10 AM

Please attach the Attach.txt, no need for dds.txt. I removed the post as we don't need that log.

Also no need to post the log twice.

Edited by farbar, 05 February 2010 - 11:13 AM.


#8 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 05 February 2010 - 12:16 PM

I'm on my laptop now, but do you want it zipped or original format? GMER scan is still running but looks to be near finishing. You weren't specific, but is it OK to reconnect to the internet to post that log or should I copy to a USB drive and post from my laptop?

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 05 February 2010 - 12:55 PM

QUOTE
I'm on my laptop now, but do you want it zipped or original format?

No need to zip it, just attach it. The copied and pasted log and also zipped and attached log were both DDS.txt. That is why I asked for it again.

QUOTE
You weren't specific, but is it OK to reconnect to the internet to post that log or should I copy to a USB drive and post from my laptop?

Disconnecting was limited to when you run GMER. You may reconnect after GMER finished scanning.



#10 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 05 February 2010 - 01:16 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-05 13:14:49
Windows 5.1.2600 Service Pack 3
Running: 02bmpst6.exe; Driver: C:\DOCUME~1\FREDRA~1\LOCALS~1\Temp\ffroapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xB1647CEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB14DAC78]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xB16483E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB14DAB34]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xB15B5730]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xB15B58A0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xB15B6340]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB15B5F90]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xB15B6C60]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xB1648534]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB14DB0E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB14DB012]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB14DA70A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xB15B3F80]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xB1648498]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB14DAC0E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB14DA64A]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xB15B6170]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB14DA6AE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xB1648144]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xB15B6910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB14DAD2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB14DB1B6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xB164BC70]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB14DACEE]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xB15B6C10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xB15B6F90]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xB15B7560]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xB15B2C40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB14DAE6E]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xB15B6BC0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xB15B42F0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwTerminateProcess [0xB15B6760]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xB1647BE2]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xB15B5A20]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[284] [0xB15B1D40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[285] [0xB15B1D50]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[286] [0xB15B1D60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[287] [0xB15B1D80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[288] [0xB15B1DA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[289] [0xB15B1DD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[290] [0xB15B1DE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[291] [0xB15B1E00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[292] [0xB15B1E10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[293] [0xB15B1ED0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[294] [0xB15B1FA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[295] [0xB15B1FE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[296] [0xB15B2020]

Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 tskB.tmp
Device \Driver\atapi \Device\Ide\IdePort0 tskB.tmp
Device \Driver\atapi \Device\Ide\IdePort1 tskB.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e tskB.tmp

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat AFD7DD20

AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----
Attached File  Attach.txt   16.36KB   2 downloads

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 05 February 2010 - 01:31 PM

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#12 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 05 February 2010 - 02:18 PM

ComboFix 10-02-05.01 - fred ray 02/05/2010 14:10:29.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1576 [GMT -5:00]
Running from: c:\documents and settings\fred ray\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\windows\unins000.dat
c:\windows\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-05 to 2010-02-05 )))))))))))))))))))))))))))))))
.

2010-02-03 09:49 . 2010-02-03 09:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\IsolatedStorage
2010-02-01 20:41 . 2010-02-01 20:41 -------- d-----w- c:\documents and settings\fred ray\Local Settings\Application Data\IsolatedStorage
2010-02-01 19:26 . 2009-12-24 16:58 6515976 ---ha-w- c:\documents and settings\fred ray\Application Data\mjusbsp\in00000\setup.exe
2010-02-01 19:26 . 2009-12-24 16:54 730032 ---ha-w- c:\documents and settings\fred ray\Application Data\mjusbsp\ar00000\install.exe
2010-01-30 20:06 . 2010-01-30 20:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-30 00:52 . 2010-02-01 02:19 -------- d-----w- c:\program files\a-squared Free
2010-01-28 14:37 . 2010-01-30 07:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-01-27 16:20 . 2010-01-27 16:20 -------- d-----w- c:\program files\Defraggler
2010-01-23 01:40 . 2010-01-23 01:40 52224 ----a-w- c:\documents and settings\fred ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-23 01:39 . 2010-01-23 01:40 117760 ----a-w- c:\documents and settings\fred ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-22 21:42 . 2010-01-28 21:57 163280 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-22 21:42 . 2010-01-28 21:54 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-22 21:42 . 2010-01-28 21:54 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-22 21:42 . 2010-01-28 21:57 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-22 21:42 . 2010-01-28 21:54 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-01-22 21:42 . 2010-01-28 21:54 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-01-22 21:42 . 2010-01-28 21:53 28240 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-01-22 21:42 . 2010-01-28 22:09 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-22 21:42 . 2010-01-19 11:57 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-22 21:41 . 2010-01-22 21:41 -------- d-----w- c:\program files\Alwil Software
2010-01-22 21:41 . 2010-01-22 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-01-21 21:20 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 21:20 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-21 21:20 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-01-21 21:20 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 21:20 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 21:20 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-21 20:58 . 2010-01-22 21:21 -------- d-----w- c:\program files\Spyware Doctor
2010-01-21 20:58 . 2010-01-22 21:21 -------- d-----w- c:\program files\Common Files\PC Tools
2010-01-21 20:58 . 2010-01-21 20:58 -------- d-----w- c:\documents and settings\fred ray\Application Data\PC Tools
2010-01-21 20:58 . 2010-01-21 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-01-21 17:27 . 2010-01-21 17:32 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-21 02:59 . 2010-01-21 02:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-21 02:57 . 2010-01-21 02:57 -------- d-----w- c:\program files\CCleaner
2010-01-21 02:52 . 2010-01-21 02:52 -------- d-----w- c:\program files\BellSouth
2010-01-21 02:52 . 2010-01-21 02:52 -------- d-----w- c:\program files\att-prt22
2010-01-21 02:50 . 2010-01-21 02:52 -------- d-----w- c:\program files\Support.com
2010-01-21 02:50 . 2010-01-21 02:50 -------- d-----w- c:\program files\Trusteer
2010-01-21 02:40 . 2010-01-27 16:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-20 21:05 . 2010-01-20 21:05 164 ----a-w- c:\windows\install.dat
2010-01-19 22:30 . 2009-01-14 15:04 243024 ----a-w- c:\windows\system32\LSPInstall.dll
2010-01-19 22:30 . 2009-01-14 15:04 111960 ----a-w- c:\windows\system32\INetHTTPFilter.dll
2010-01-19 21:50 . 2010-01-19 21:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-19 21:48 . 2010-01-19 21:48 -------- d-----w- c:\documents and settings\Administrator\PrivacIE
2010-01-19 21:47 . 2010-01-19 21:47 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-01-18 15:13 . 2010-01-21 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-16 19:59 . 2010-01-16 19:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-13 08:18 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-05 19:09 . 2009-01-15 19:25 1586720 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-03 05:56 . 1980-01-01 05:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-03 05:56 . 2009-01-15 19:25 147980 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-01 19:26 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\fred ray\Application Data\mjusbsp
2010-02-01 18:31 . 2006-05-04 20:50 -------- d-----w- c:\program files\Lx_cats
2010-01-30 09:43 . 2008-06-27 21:03 -------- d-----w- c:\program files\AWS
2010-01-22 21:20 . 2007-08-22 13:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-21 03:03 . 2008-11-22 02:45 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 02:52 . 2006-05-04 20:57 -------- d-----w- c:\program files\Common Files\Motive
2010-01-21 02:52 . 2009-02-14 20:11 -------- d-----w- c:\program files\ATT-PRT22-WISE
2010-01-21 02:37 . 2007-05-27 19:38 -------- d-----w- c:\program files\Common Files\supportsoft
2010-01-20 23:43 . 2007-05-27 19:38 -------- d-----w- c:\program files\Dell Support Center
2010-01-19 22:30 . 2009-01-15 19:22 -------- d-----w- c:\program files\ParetoLogic
2010-01-19 22:30 . 2009-01-15 19:22 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-19 22:30 . 2009-01-15 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-19 12:20 . 2009-01-15 19:25 539492 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-19 12:20 . 2009-01-15 19:25 40201760 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-18 22:08 . 2009-07-31 20:16 -------- d-----w- c:\program files\Google
2010-01-07 21:07 . 2009-06-08 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-08 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 16:59 . 2009-12-24 16:59 93016 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-04 14:43 6515976 ---ha-w- c:\documents and settings\fred ray\Application Data\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-04 14:43 730032 ---ha-w- c:\documents and settings\fred ray\Application Data\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\fred ray\Application Data\mjusbsp\cdloader2.exe
2009-12-21 19:14 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 11:26 . 2006-06-29 20:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-04 23:00 . 2009-11-30 23:00 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\fred ray\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-31 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-28 2757512]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]

c:\documents and settings\fred ray\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-6-9 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-19 22:10 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^fred ray^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 14:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2005-07-26 12:17 94208 ----a-w- c:\program files\Lexmark 4300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-09-20 13:32 77824 ----a-w- c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-09-20 13:36 114688 ----a-w- c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-09-20 13:35 94208 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
2005-08-02 17:45 192512 ----a-w- c:\program files\Lexmark 4300 Series\lxcemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSCD_Creator]
2005-03-18 14:02 107520 ----a-w- c:\dell\MEDIAEXE\PREODM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-06-23 12:05 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2008-12-11 11:33 1809648 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2005-08-31 18:14 1277952 ----a-w- c:\program files\Support.com\BellSouth\hcenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\fred ray\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [1/22/2010 4:42 PM 163280]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [11/1/2009 6:08 PM 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [11/1/2009 6:08 PM 334440]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/28/2008 9:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 55024]
R2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [1/29/2010 7:52 PM 1858144]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [1/22/2010 4:42 PM 19024]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [1/14/2009 9:59 AM 587216]
S2 gupdate1ca121c7b6dc57a;Google Update Service (gupdate1ca121c7b6dc57a);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 3:21 PM 133104]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [11/1/2009 6:08 PM 972008]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 DVSAudio;DVS USB Audio Filter Driver (WDM);c:\windows\SYSTEM32\DRIVERS\DVSAudio.sys [10/29/2006 11:20 AM 14864]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [6/8/2009 4:07 PM 38224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 7408]
S3 SPCA506AV;DVS Video;c:\windows\SYSTEM32\DRIVERS\DVS.SYS [10/29/2006 11:21 AM 161669]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FFROAPOG
*NewlyCreated* - KLMDB
*Deregistered* - ffroapog
*Deregistered* - klmd21
*Deregistered* - klmdb
.
Contents of the 'Scheduled Tasks' folder

2010-02-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-31 20:16]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 20:21]

2010-02-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 20:21]

2010-02-04 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2010-02-05 c:\windows\Tasks\User_Feed_Synchronization-{68BC40CC-BCCD-4DC3-BEB8-8401DA4B4E62}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4421001&ctry=00000409&os=5&src=1
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: magicjack.com\my
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-JRW43
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-osCheck - c:\program files\Norton 360 Premier Edition\osCheck.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-HijackThis - c:\documents and settings\fred ray\Local Settings\Temporary Internet Files\Content.IE5\0HUNA22S\HijackThis.exe
AddRemove-magicJack Recovery Tool_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-05 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\INetHTTPFilter.dll
.
Completion time: 2010-02-05 14:16:51
ComboFix-quarantined-files.txt 2010-02-05 19:16
ComboFix2.txt 2008-12-22 07:00

Pre-Run: 15,130,656,768 bytes free
Post-Run: 15,778,840,576 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7337A4328E4E2FEBDC2B490DB73390F4


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 05 February 2010 - 03:01 PM

Combofix is run twice and this is the log of the second run.

Please go to start -> Run.
  • Copy and paste the bold line in the run-box and click OK: C:\Qoobox\ComboFix2.txt
  • A text file opens up, copy and paste the content to your reply.


#14 jonzy28

jonzy28
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 05 February 2010 - 03:04 PM

ComboFix 08-12-21.04 - fred ray 2008-12-22 1:41:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.51 [GMT -5:00]
Running from: c:\documents and settings\fred ray\Desktop\fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\fred ray\Application Data\Install.dat
C:\log.udt
c:\windows\SYSTEM32\2136765841.dll
c:\windows\system32\result.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3550P


((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-22 01:37 . 2008-12-22 01:38 <DIR> d-------- C:\32788R22FWJFW
2008-12-21 23:05 . 2008-12-21 23:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-21 22:03 . 2008-12-21 22:03 <DIR> d-------- c:\program files\Windows Sidebar
2008-12-21 22:02 . 2008-12-22 01:33 <DIR> d-------- c:\program files\Norton 360 Premier Edition
2008-12-21 22:00 . 2008-12-21 22:08 <DIR> d-------- c:\program files\Symantec
2008-12-21 22:00 . 2008-12-21 22:08 123,952 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-12-21 22:00 . 2008-12-21 22:08 60,800 --a------ c:\windows\SYSTEM32\S32EVNT1.DLL
2008-12-21 22:00 . 2008-12-21 22:08 10,563 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-12-21 22:00 . 2008-12-21 22:08 805 --a------ c:\windows\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-12-21 21:44 . 2008-12-21 21:45 <DIR> d-------- c:\program files\Trojan Remover
2008-12-21 21:44 . 2008-12-21 21:44 <DIR> d-------- c:\documents and settings\fred ray\Application Data\Simply Super Software
2008-12-21 21:44 . 2008-12-21 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2008-12-21 21:44 . 2006-05-25 14:52 162,304 --a------ c:\windows\SYSTEM32\ztvunrar36.dll
2008-12-21 21:44 . 2003-02-02 19:06 153,088 --a------ c:\windows\SYSTEM32\UNRAR3.dll
2008-12-21 21:44 . 2005-08-26 00:50 77,312 --a------ c:\windows\SYSTEM32\ztvunace26.dll
2008-12-21 21:44 . 2002-03-06 00:00 75,264 --a------ c:\windows\SYSTEM32\unacev2.dll
2008-12-21 21:44 . 2006-06-19 12:01 69,632 --a------ c:\windows\SYSTEM32\ztvcabinet.dll
2008-12-21 20:21 . 2008-04-13 19:12 1,033,728 --a------ c:\windows\explorer.bak
2008-12-21 19:58 . 2008-12-21 19:58 <DIR> d-------- c:\documents and settings\fred ray\Application Data\Malwarebytes
2008-12-21 19:58 . 2008-12-21 19:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-21 19:57 . 2008-12-21 19:57 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-12-21 19:49 . 2008-12-22 01:37 0 --a------ c:\windows\win.ini
2008-12-21 19:49 . 2008-12-22 01:53 0 --a------ c:\windows\system.ini
2008-12-21 14:42 . 2008-12-21 14:42 382,976 --a------ c:\documents and settings\All Users\Application Data\FreeApp.exe
2008-12-21 10:14 . 2008-12-21 10:30 73,728 --a------ c:\windows\SYSTEM32\C3Y0q75l.exe
2008-11-23 19:18 . 2008-11-23 19:18 <DIR> d-------- c:\documents and settings\fred ray\Application Data\Nikon
2008-11-23 19:15 . 2008-11-23 19:39 <DIR> d-------- c:\program files\Common Files\Nikon
2008-11-23 19:14 . 2008-11-23 19:39 <DIR> d-------- c:\program files\Nikon
2008-11-23 19:13 . 2008-11-23 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ultima_T15
2008-11-23 19:13 . 2008-11-23 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\EnterNHelp
2008-11-23 19:13 . 2008-11-23 19:39 0 --ah----- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2008-11-23 18:10 . 2008-11-23 18:10 <DIR> d-------- c:\documents and settings\fred ray\Application Data\acccore
2008-11-22 03:00 . 2008-11-22 03:00 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-22 02:37 . 2008-10-16 14:06 268,648 --a------ c:\windows\SYSTEM32\mucltui.dll
2008-11-22 02:37 . 2008-10-16 14:06 208,744 --a------ c:\windows\SYSTEM32\muweb.dll
2008-11-22 02:37 . 2008-10-16 14:06 27,496 --a------ c:\windows\SYSTEM32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 06:52 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-22 06:34 --------- d-----w c:\program files\Lx_cats
2008-12-22 04:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-22 03:11 --------- d-----w c:\documents and settings\fred ray\Application Data\Symantec
2008-12-21 20:47 --------- d-----w c:\documents and settings\fred ray\Application Data\SUPERAntiSpyware.com
2008-12-21 20:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-21 16:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 16:17 --------- d-----w c:\program files\Unlocker
2008-12-11 11:33 --------- d-----w c:\program files\SUPERAntiSpyware
2008-11-24 19:28 --------- d-----w c:\program files\Common Files\AOL
2008-11-24 07:37 --------- d-----w c:\program files\Common Files\Adobe
2008-11-23 23:09 --------- d-----w c:\program files\Viewpoint
2008-11-23 23:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-22 02:45 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-06-19 22:09 61,224 ----a-w c:\documents and settings\fred ray\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCECATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [2005-07-20 73728]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-19 17:10 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP40"= SP40_32.DLL
"VIDC.SP44"= SP4X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^fred ray^Start Menu^Programs^Startup^Webshots.lnk]
backup=c:\windows\pss\Webshots.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cognac

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywareguard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-18 14:37 51048 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-13 17:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
--a------ 2005-07-26 07:17 94208 c:\program files\Lexmark 4300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 08:32 77824 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 08:36 114688 c:\windows\SYSTEM32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 08:35 94208 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
--a------ 2005-08-02 12:45 192512 c:\program files\Lexmark 4300 Series\lxcemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSCD_Creator]
--a------ 2005-03-18 09:02 107520 c:\dell\MEDIAEXE\PREODM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2008-02-26 09:50 988512 c:\program files\Norton 360 Premier Edition\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-06-23 07:05 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 14:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-12-11 06:33 1809648 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
--a------ 2005-08-31 13:14 1277952 c:\program files\Support.com\BellSouth\hcenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a------ 2008-12-10 20:58 1230728 c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2007-08-29 09:55 1347584 c:\program files\AWS\WeatherBug\Weather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-23 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-21 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 DVSAudio;DVS USB Audio Filter Driver (WDM);c:\windows\system32\drivers\DVSAudio.sys [2006-10-29 14864]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S3 SPCA506AV;DVS Video;c:\windows\system32\DRIVERS\DVS.SYS [2006-10-29 161669]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\RUNDLL32.EXE [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Cognac - c:\windows\TEMP\4.tmp.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-MSFox - c:\docume~1\FREDRA~1\LOCALS~1\Temp\a.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-ctfxmon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.att.net/bellsouth/s/s.dll?spage=hb/index.htm&ck=&ck=
uInternet Connection Wizard,ShellNext = hxxp://www.lexmark.com/MD/?func=newreg&lang=0&prtr=4421001&ctry=00000409&os=5&src=1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 01:53:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCECATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\SYSTEM32\fxssvc.exe
c:\windows\SYSTEM32\lxcecoms.exe
.
**************************************************************************
.
Completion time: 2008-12-22 2:00:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 07:00:05

Pre-Run: 24,834,351,104 bytes free
Post-Run: 24,777,781,248 bytes free

225


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:09 AM

Posted 05 February 2010 - 05:24 PM

Please monitor the system and let me know whenever you get the DCOM Server notification or whenever the redirection is stopped. It seems you have run a Kaspersky product and it has replaced atapi.sys. It surprises me that the above mentioned problems still exists. There is nothing on the logs to indicate any infection.
  1. I see on the log Ask Toolbar is installed on your computer. At least there is an Add\Remove on the Attach.txt log.

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar

    Also remove the folder in bold (if present) only after uninstalling Ask Toolbar:
    C:\Program Files\AskBar
    c:\program files\askbardis

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  3. I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      • Click on to download the ESET Smart Installer. Save it to your desktop.
      • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users