Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log file


  • This topic is locked This topic is locked
21 replies to this topic

#1 fogde

fogde

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 18 April 2010 - 11:45 PM



tried to follow the Prep Guide but were unable to get DDS to run.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Brian at 2010-04-18 21:14:11
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 13 GB (34%) free of 38 GB
Total RAM: 2046 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:22 PM, on 4/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\Brian\Application Data\Desktop Security 2010\securitycenter.exe
C:\Documents and Settings\Brian\Application Data\Desktop Security 2010\Desktop Security 2010.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\hp\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\hp\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Brian\Desktop\RSIT.exe
C:\Program Files\trend micro\Brian.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [khgdedsys] rundll32.exe "khihhe.dll",DllRegisterServer
O4 - HKLM\..\Run: [rqpnlldrv] rundll32.exe "khghfe.dll",s
O4 - HKLM\..\Run: [efcccbdrv] rundll32.exe "qomjhg.dll",s
O4 - HKLM\..\Run: [tuvvwvdrv] rundll32.exe "ssrqol.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [11r6l9uwtnfj] C:\Documents and Settings\Brian\Local Settings\Temp\m.299.tmp.exe
O4 - HKCU\..\Run: [wvwxvsdrv] rundll32.exe "khghfe.dll",s
O4 - HKCU\..\Run: [opmkhedrv] rundll32.exe "qomjhg.dll",s
O4 - HKCU\..\Run: [mlmjgddrv] rundll32.exe "ssrqol.dll",s
O4 - HKCU\..\Run: [SecurityCenter] C:\Documents and Settings\Brian\Application Data\Desktop Security 2010\securitycenter.exe
O4 - HKCU\..\Run: [Desktop Security 2010] "C:\Documents and Settings\Brian\Application Data\Desktop Security 2010\Desktop Security 2010.exe" /STARTUP
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hggffgsys] rundll32.exe "khihhe.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [efcdecdrv] rundll32.exe "khghfe.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ssqpqqdrv] rundll32.exe "qomjhg.dll",s (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tusspmdrv] rundll32.exe "ssrqol.dll",s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.farmersinsurance.com
O15 - Trusted Zone: www.farmerslife.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAg...ImgXTwain61.cab
O16 - DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} (Crystal Reports Print Control 11.0) - https://eagent.farmersinsurance.com/PLA/eAg...rintControl.cab
O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAg...mgXDialog61.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/2,0,...pdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1181609387625
O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAg...iveX/ImgX61.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {BE8EEE38-A7C5-4674-A6C4-C2D7421FDD10} (prVisioInterface.EmVisioInterface) - https://bie.farmersinsurance.com/prweb/PRSe...iointerface.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v2.1 [ENU]) - http://mobius.farmersinsurance.com/Agent/c...nt/iejpwenu.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...061/mcfscan.cab
O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - C:\DOCUME~1\Brian\LOCALS~1\Temp\2F.tmp
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 13855 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 118844]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}]
ZoneAlarm Toolbar Registrar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2009-10-14 578928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-03-09 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-03-09 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BA52B914-B692-46c4-B683-905236F6F655} - McAfee VirusScan - c:\progra~1\mcafee.com\vso\mcvsshl.dll [2005-07-01 114688]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - ZoneAlarm Toolbar - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll [2009-10-14 578928]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2005-01-23 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-01-23 126976]
"BCMSMMSG"=C:\WINDOWS\BCMSMMSG.exe [2003-08-29 122880]
"StorageGuard"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-02-13 155648]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2003-08-26 204800]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2003-12-18 26112]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2003-10-06 53248]
"Dell AIO Printer A920"=C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe []
"VSOCheckTask"=C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe [2005-07-08 151552]
"VirusScan Online"=C:\Program Files\McAfee.com\VSO\mcvsshld.exe [2005-08-10 163840]
"masqform.exe"=C:\Program Files\PureEdge\Viewer 6.1\masqform.exe [2004-04-19 634880]
"OASClnt"=C:\Program Files\McAfee.com\VSO\oasclnt.exe [2005-08-11 53248]
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2001-07-03 57344]
"HP Software Update"=C:\Program Files\hp\HP Software Update\HPWuSchd2.exe [2005-05-12 49152]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2005-05-31 122941]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-10-17 1037192]
"ISW"=C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [2009-10-14 730480]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"khgdedsys"=khihhe.dll,DllRegisterServer []
"rqpnlldrv"=khghfe.dll,s []
"efcccbdrv"=qomjhg.dll,s []
"tuvvwvdrv"=ssrqol.dll,s []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sonic RecordNow!"= []
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"MoneyAgent"=C:\Program Files\Microsoft Money\System\mnyexpr.exe [2003-06-18 200704]
"DellSupport"=C:\Program Files\DellSupport\DSAgnt.exe [2007-03-15 460784]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"11r6l9uwtnfj"=C:\Documents and Settings\Brian\Local Settings\Temp\m.299.tmp.exe []
"wvwxvsdrv"=khghfe.dll,s []
"opmkhedrv"=qomjhg.dll,s []
"mlmjgddrv"=ssrqol.dll,s []
"SecurityCenter"=C:\Documents and Settings\Brian\Application Data\Desktop Security 2010\securitycenter.exe [2010-04-15 147968]
"Desktop Security 2010"=C:\Documents and Settings\Brian\Application Data\Desktop Security 2010\Desktop Security 2010.exe [2010-04-15 1413632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AutorunsDisabled
HP Digital Imaging Monitor.lnk - C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
NETGEAR WN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WN111\wn111.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-01-23 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
khihhe.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe"="C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe:*:Disabled:javaw"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"
"C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\hp\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\hp\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\hp\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\hp\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\hp\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\hp\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\hp\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\hp\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\ACT\ActUpdt.exe"="C:\Program Files\ACT\ActUpdt.exe:*:Enabled:ACT! Update"
"c:\\windows\\explorer.exe"="C:\WINDOWS\Explorer.EXE:*:Enabled:Explorer"
"C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe"="C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"
"C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe"="C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\SYSTEM32\LEXPPS.EXE"="C:\WINDOWS\SYSTEM32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79451c55-4e0f-11dd-893b-000d5657344a}]
shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7f5868e-462d-11de-8990-000d5657344a}]
shell\AutoRun\command - D:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2010-04-18 21:14:25 ----D---- C:\Program Files\trend micro
2010-04-18 21:14:11 ----D---- C:\rsit
2010-04-17 07:12:36 ----AH---- C:\WINDOWS\system32\ddbxxy.dll
2010-04-17 06:50:11 ----A---- C:\rkill i.txt
2010-04-16 07:18:17 ----AH---- C:\WINDOWS\system32\ssrqol.dll
2010-04-15 12:17:06 ----AH---- C:\WINDOWS\system32\qomjhg.dll
2010-04-15 10:49:59 ----AH---- C:\WINDOWS\system32\khghfe.dll
2010-04-15 10:45:21 ----D---- C:\Documents and Settings\Brian\Application Data\Desktop Security 2010
2010-04-15 10:44:56 ----AH---- C:\WINDOWS\system32\khihhe.dll
2010-04-14 03:08:13 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-14 03:07:39 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 03:04:30 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-14 03:04:10 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 03:03:10 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 03:02:25 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-02 07:45:59 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-04-02 07:45:31 ----A---- C:\WINDOWS\system32\javaws.exe
2010-04-02 07:45:31 ----A---- C:\WINDOWS\system32\javaw.exe
2010-04-02 07:45:31 ----A---- C:\WINDOWS\system32\java.exe
2010-03-30 09:58:44 ----A---- C:\mbam-error.txt
2010-03-25 10:25:24 ----DC---- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 01:04:52 ----D---- C:\Program Files\Alwil Software
2010-03-25 01:04:52 ----D---- C:\Documents and Settings\All Users\Application Data\Alwil Software

======List of files/folders modified in the last 1 months======

2010-04-18 21:15:43 ----D---- C:\WINDOWS\Prefetch
2010-04-18 21:14:25 ----AD---- C:\Program Files
2010-04-18 21:13:23 ----D---- C:\WINDOWS\Temp
2010-04-18 21:10:17 ----D---- C:\WINDOWS
2010-04-18 21:10:07 ----SD---- C:\WINDOWS\Tasks
2010-04-18 21:08:34 ----SHD---- C:\System Volume Information
2010-04-18 21:08:20 ----D---- C:\WINDOWS\Internet Logs
2010-04-18 21:07:04 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-18 21:05:51 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-17 20:29:23 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-17 20:29:20 ----D---- C:\WINDOWS\system32\DRIVERS
2010-04-17 19:57:28 ----A---- C:\WINDOWS\ntbtlog.txt
2010-04-17 07:12:36 ----D---- C:\WINDOWS\SYSTEM32
2010-04-16 07:33:29 ----D---- C:\WINDOWS\system32\NtmsData
2010-04-16 07:32:09 ----D---- C:\WINDOWS\Registration
2010-04-15 13:34:26 ----HD---- C:\WINDOWS\INF
2010-04-15 13:34:09 ----D---- C:\WINDOWS\REPAIR
2010-04-15 13:24:31 ----SHD---- C:\WINDOWS\Installer
2010-04-15 13:24:31 ----HD---- C:\Config.Msi
2010-04-15 13:24:26 ----D---- C:\WINDOWS\WinSxS
2010-04-14 03:08:25 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2010-04-14 03:07:46 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-14 03:07:43 ----A---- C:\WINDOWS\imsins.BAK
2010-04-14 03:02:50 ----D---- C:\WINDOWS\ie8updates
2010-04-07 13:48:42 ----HDC---- C:\WINDOWS\$NtUninstallKB922582$
2010-04-06 10:52:54 ----A---- C:\WINDOWS\system32\MRT.exe
2010-04-02 07:45:56 ----D---- C:\Program Files\Common Files\Java
2010-04-02 07:45:28 ----D---- C:\Program Files\Java
2010-04-01 03:03:22 ----D---- C:\Program Files\Internet Explorer
2010-03-26 22:55:57 ----HDC---- C:\WINDOWS\$NtUninstallKB920683$
2010-03-25 08:55:39 ----HDC---- C:\WINDOWS\$NtUninstallKB890047_0$
2010-03-25 01:11:32 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-24 15:22:08 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KLIF;Kaspersky Lab Driver; C:\WINDOWS\system32\DRIVERS\klif.sys [2009-10-12 317072]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2005-05-13 5627]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2005-05-13 23545]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-10-17 486280]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2010-01-10 17801]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2003-12-18 8552]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2005-04-21 40544]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 ISWKL;ZoneAlarm Toolbar ISWKL; \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2005-05-31 25725]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2005-05-31 34845]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2005-05-31 4125]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2005-05-31 2241]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2005-05-31 86876]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2005-05-31 15069]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2005-05-31 6365]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2005-05-31 98716]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2005-05-31 100605]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-23 43136]
R3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-08-29 1101696]
R3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 GTNDIS5;GTNDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\GTNDIS5.SYS []
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-01-23 804317]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2005-07-26 28256]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 BCM42RLY;BCM42RLY; \??\C:\WINDOWS\System32\BCM42RLY.SYS []
S3 BCM43XX;Linksys Wireless-G PCI Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-12-22 369024]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2007-06-11 28672]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-03-07 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-03-07 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-03-07 21744]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-03 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-03 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-03 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-03 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-03 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-03 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-03 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-03 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-03 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-03 23615]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter; C:\WINDOWS\System32\DRIVERS\DELUSB_51.sys []
S3 SDDMI2;SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\System32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-03-13 691696]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 IswSvc;ZoneAlarm Toolbar IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [2009-10-14 476528]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-03-09 153376]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-06-02 303104]
R2 MSSQL$MICROSOFTBCM;MSSQL$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [2003-05-31 7544916]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872]
S2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe [2009-10-17 2384240]
S2 WMP54GSSVC;WMP54GSSVC; C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe [2004-02-06 41025]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\hpzipm12.exe [2004-09-29 69632]
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 23 April 2010 - 04:10 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.


Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • MBAM log
  • Gmer log

Thanks

unite.jpg


#3 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 25 April 2010 - 02:11 AM

thanks for helping me. just so you know what has been done before i posted here the topic was "infected with Desktop Security 2010" and it was posted on the Aprol 16th at 9:27am and was asked to run rkill and malwarebytes. i could not and still can not get malware bytes to open and rkill would not work either. I was then told to follow steps 6-9 on prep guide. step 6 was defogger. 7 dds, 8 Gmer and 9 create a new topic with logs. When i ran dds i would get a microsoft C++ error message. i was then instructed to runs RSIT which i was able to do an post the log. so here the the log you asked for but i still can not run malwarebytes. now whats wierd is my computer has set idle waiting for a response from some at your web site and now i can't see that i have the Desktop Security 2010 on my computer any more I have not ran any type of programs to clean it so i am confused and concerned.

#4 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 25 April 2010 - 02:15 AM

when i try post the gmer log it is saying its to large and need to reduce it

#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 25 April 2010 - 05:25 AM

Ok please upload the log to me instead.

Please go to the Malware Upload Channel and upload the following file.
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
  • Then click "Browse" on the line below and navigate to the Gmer log.
  • In the comment section, please make a note that I asked you to upload the file here: Syler
  • Click Send File
Please let me know when the submission has finished. Thanks.

unite.jpg


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 25 April 2010 - 04:53 PM

It looks like your AV wasn't disabled that's why the log was so long, you need to make sure that you disable your AV if the instructions ask you to do so.

Can you tell me if you created the following folders on your desktop?

C:\Documents and Settings\Brian\Desktop\New Folder (2)\New Folder\New Folder (12)\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder\New Folder


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#7 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 26 April 2010 - 09:45 AM

here is the log and i created the new folders on desktop

ComboFix 10-04-21.01 - Brian 04/26/2010 7:03.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1450 [GMT -7:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian\Local Settings\Temporary Internet Files\5W48R.jpg
c:\documents and settings\Brian\Local Settings\Temporary Internet Files\ERyWx20.jpg
c:\documents and settings\Brian\Local Settings\Temporary Internet Files\GN23e4LG.jpg
c:\documents and settings\Brian\Local Settings\Temporary Internet Files\knapp
c:\documents and settings\Brian\Local Settings\Temporary Internet Files\Omg08.jpg
c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\Temp
c:\windows\system32\drivers\fad.sys
c:\windows\system32\khghfe.dll
c:\windows\system32\khihhe.dll
c:\windows\system32\qomjhg.dll
c:\windows\system32\ssrqol.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-26 to 2010-04-26 )))))))))))))))))))))))))))))))
.

2010-04-19 04:14 . 2010-04-19 04:16 -------- d-----w- c:\program files\trend micro
2010-04-19 04:14 . 2010-04-19 04:20 -------- d-----w- C:\rsit
2010-04-17 14:12 . 2010-04-17 14:13 93184 ---ha-w- c:\windows\system32\ddbxxy.dll
2010-04-16 16:03 . 2010-04-16 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Powercinema
2010-04-16 00:09 . 2010-04-16 00:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 03:29 . 2009-09-01 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 14:45 . 2003-12-18 12:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 14:45 . 2010-04-02 14:45 503808 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\msvcp71.dll
2010-04-02 14:45 . 2010-04-02 14:45 499712 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\jmc.dll
2010-04-02 14:45 . 2010-04-02 14:45 348160 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\msvcr71.dll
2010-04-02 14:45 . 2010-04-02 14:45 61440 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d00f1c5-n\decora-sse.dll
2010-04-02 14:45 . 2010-04-02 14:45 12800 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d00f1c5-n\decora-d3d.dll
2010-04-02 14:45 . 2003-12-18 12:41 -------- d-----w- c:\program files\Java
2010-03-30 16:58 . 2009-12-03 17:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-09-01 23:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-09-01 23:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 17:25 . 2010-03-25 17:25 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 17:03 . 2010-03-25 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-25 08:11 . 2010-01-08 07:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-25 08:04 . 2010-03-25 08:04 -------- d-----w- c:\program files\Alwil Software
2010-03-25 01:45 . 2010-03-25 05:12 1381888 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-03-25 01:45 . 2010-03-25 05:12 2095616 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-03-24 22:22 . 2007-07-02 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-14 02:21 . 2010-03-14 02:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-14 02:21 . 2010-03-14 02:21 -------- d-----w- c:\program files\LSoft Technologies
2010-03-14 02:21 . 2003-12-18 12:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 07:08 . 2007-07-02 16:51 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:28 . 2009-04-03 20:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 16:07 . 2006-11-15 18:26 -------- d-----w- c:\documents and settings\Brian\Application Data\Share-to-Web Upload Folder
2010-02-25 06:24 . 2005-04-27 17:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-02 22:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 1980-01-01 06:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 17:16 . 2010-02-10 06:08 484352 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2007-06-30 23:31 . 2007-06-30 23:30 212849 ----a-w- c:\program files\hijackthis.zip
2005-02-28 23:31 . 2005-02-28 23:31 22916 ----a-w- c:\program files\FIGBWU.jpg
2005-02-28 23:31 . 2005-02-28 23:31 22968 ----a-w- c:\program files\FIGBW.jpg
2005-02-07 06:04 . 2005-02-07 06:04 3467795 ----a-w- c:\program files\whatif_setup.exe
2005-02-04 02:36 . 2005-02-04 02:35 864242 ----a-w- c:\program files\lessonNewcustomerleads.pdf
2004-08-28 04:04 . 2004-08-28 04:04 2609631 ----a-w- c:\program files\aawsepersonal.exe
2001-09-28 23:00 . 2004-08-28 01:50 164864 ----a-w- c:\program files\UNWISE.EXE
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-01-23 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-12-18 26112]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 634880]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HP Software Update"="c:\program files\hp\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\hp\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2008-4-1 2121728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
SideACT!.lnk - c:\program files\ACT\SideACT.exe [2004-4-23 278589]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\ACT\\ActUpdt.exe"=
"c:\\\\windows\\\\explorer.exe"= c:\\WINDOWS\\Explorer.EXE
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 6:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 6:30 AM 476528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/17/2007 4:58 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\DRIVERS\DELUSB_51.sys --> c:\windows\system32\DRIVERS\DELUSB_51.sys [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/13/2010 7:21 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2003-12-26 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: farmersinsurance.com
Trusted Zone: farmersinsurance.com\eagent
Trusted Zone: farmerslife.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
DPF: {BE8EEE38-A7C5-4674-A6C4-C2D7421FDD10} - hxxps://bie.farmersinsurance.com/prweb/PRServletLDAP1/8gYJ4DHQrCXUTefMjim_tw%5B%5B*/prvisiointerface.cab
DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} - hxxp://mobius.farmersinsurance.com/Agent/content/iejpwenu.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKCU-Run-wvwxvsdrv - khghfe.dll
HKCU-Run-opmkhedrv - qomjhg.dll
HKCU-Run-mlmjgddrv - ssrqol.dll
HKLM-Run-Dell AIO Printer A920 - c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
HKLM-Run-khgdedsys - khihhe.dll
HKLM-Run-rqpnlldrv - khghfe.dll
HKLM-Run-efcccbdrv - qomjhg.dll
HKLM-Run-tuvvwvdrv - ssrqol.dll
HKU-Default-Run-hggffgsys - khihhe.dll
HKU-Default-Run-efcdecdrv - khghfe.dll
HKU-Default-Run-ssqpqqdrv - qomjhg.dll
HKU-Default-Run-tusspmdrv - ssrqol.dll
AddRemove-Dell AIO Printer A920 - c:\windows\System32\spool\drivers\w32x86\3\DLBKUN5C.EXE
AddRemove-PDFLIB - c:\progra~1\COSSTEMP\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 07:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\l3codeca.acm
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(1756)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\hp\Digital Imaging\bin\hpqSTE08.exe
c:\program files\hp\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2010-04-26 07:37:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-26 14:37

Pre-Run: 13,786,292,224 bytes free
Post-Run: 14,695,456,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 9E61A6DD23942B73E93A3F7C1BF077DE


#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 26 April 2010 - 04:57 PM

Can you tell me how the computer is running now?

Please try running combofix again now and post back with the log if it runs, thanks.

unite.jpg


#9 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 27 April 2010 - 02:07 AM

i can finally run malwarebytes so i think it might be running better, here is the log there some settings that i need to change back from defogger i think. there was a program that boopme had me run that disabled some stuff on my computer.

ComboFix 10-04-26.02 - Brian 04/26/2010 21:16:27.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1495 [GMT -7:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-04-27 )))))))))))))))))))))))))))))))
.

2010-04-19 04:14 . 2010-04-19 04:16 -------- d-----w- c:\program files\trend micro
2010-04-19 04:14 . 2010-04-19 04:20 -------- d-----w- C:\rsit
2010-04-17 14:12 . 2010-04-17 14:13 93184 ---ha-w- c:\windows\system32\ddbxxy.dll
2010-04-16 16:03 . 2010-04-16 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Powercinema
2010-04-16 00:09 . 2010-04-16 00:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 14:45 . 2010-04-02 14:45 503808 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\msvcp71.dll
2010-04-02 14:45 . 2010-04-02 14:45 499712 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\jmc.dll
2010-04-02 14:45 . 2010-04-02 14:45 348160 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\msvcr71.dll
2010-04-02 14:45 . 2010-04-02 14:45 61440 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d00f1c5-n\decora-sse.dll
2010-04-02 14:45 . 2010-04-02 14:45 12800 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d00f1c5-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 03:29 . 2009-09-01 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 14:45 . 2003-12-18 12:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 14:45 . 2003-12-18 12:41 -------- d-----w- c:\program files\Java
2010-03-30 16:58 . 2009-12-03 17:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-09-01 23:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-09-01 23:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 17:25 . 2010-03-25 17:25 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 17:03 . 2010-03-25 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-25 08:11 . 2010-01-08 07:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-25 08:04 . 2010-03-25 08:04 -------- d-----w- c:\program files\Alwil Software
2010-03-25 01:45 . 2010-03-25 05:12 1381888 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-03-25 01:45 . 2010-03-25 05:12 2095616 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-03-24 22:22 . 2007-07-02 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-14 02:21 . 2010-03-14 02:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-14 02:21 . 2010-03-14 02:21 -------- d-----w- c:\program files\LSoft Technologies
2010-03-14 02:21 . 2003-12-18 12:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 07:08 . 2007-07-02 16:51 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:28 . 2009-04-03 20:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 16:07 . 2006-11-15 18:26 -------- d-----w- c:\documents and settings\Brian\Application Data\Share-to-Web Upload Folder
2010-02-25 06:24 . 2005-04-27 17:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-02 22:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 1980-01-01 06:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 17:16 . 2010-02-10 06:08 484352 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2007-06-30 23:31 . 2007-06-30 23:30 212849 ----a-w- c:\program files\hijackthis.zip
2005-02-28 23:31 . 2005-02-28 23:31 22916 ----a-w- c:\program files\FIGBWU.jpg
2005-02-28 23:31 . 2005-02-28 23:31 22968 ----a-w- c:\program files\FIGBW.jpg
2005-02-07 06:04 . 2005-02-07 06:04 3467795 ----a-w- c:\program files\whatif_setup.exe
2005-02-04 02:36 . 2005-02-04 02:35 864242 ----a-w- c:\program files\lessonNewcustomerleads.pdf
2004-08-28 04:04 . 2004-08-28 04:04 2609631 ----a-w- c:\program files\aawsepersonal.exe
2001-09-28 23:00 . 2004-08-28 01:50 164864 ----a-w- c:\program files\UNWISE.EXE
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-01-23 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-12-18 26112]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 634880]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HP Software Update"="c:\program files\hp\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\hp\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2008-4-1 2121728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
SideACT!.lnk - c:\program files\ACT\SideACT.exe [2004-4-23 278589]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\ACT\\ActUpdt.exe"=
"c:\\\\windows\\\\explorer.exe"= c:\\WINDOWS\\Explorer.EXE
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 6:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 6:30 AM 476528]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/17/2007 4:58 PM 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\DRIVERS\DELUSB_51.sys --> c:\windows\system32\DRIVERS\DELUSB_51.sys [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/13/2010 7:21 PM 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2003-12-26 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-04-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: farmersinsurance.com
Trusted Zone: farmersinsurance.com\eagent
Trusted Zone: farmerslife.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
DPF: {BE8EEE38-A7C5-4674-A6C4-C2D7421FDD10} - hxxps://bie.farmersinsurance.com/prweb/PRServletLDAP1/8gYJ4DHQrCXUTefMjim_tw%5B%5B*/prvisiointerface.cab
DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} - hxxp://mobius.farmersinsurance.com/Agent/content/iejpwenu.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\l3codeca.acm
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'lsass.exe'(696)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-26 21:27:41
ComboFix-quarantined-files.txt 2010-04-27 04:27
ComboFix2.txt 2010-04-26 14:38

Pre-Run: 14,712,410,112 bytes free
Post-Run: 14,688,780,288 bytes free

- - End Of File - - BF0F61D15BDCDD774B7A93910E8F6D6C


#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 27 April 2010 - 09:28 AM

I meant to ask you to run Malwarebytes not combofix, I don't no why I put combofix crazy.gif

your logs are looking ok now, let's just do one more check.


You have Viewpoint installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.



Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe
  • Click the button.
  • Check
  • Click the button.
  • Accept any security warnings from your browser and allow it to install the ActiveX control.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push



Then try and run DDS again and post back with both DDS logs and the ESET report.

Thanks

unite.jpg


#11 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 28 April 2010 - 10:16 AM

here the logs now when i ran eset scannner i did not check to remove infections here is the eset scan first

C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\6.0\27\6184729b-3669a73d a variant of Java/TrojanDownloader.OpenStream.NAD trojan
C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\6.0\55\58a21d77-4eb50c51 Java/TrojanDownloader.Agent.AF trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\khghfe.dll.vir a variant of Win32/Kryptik.DOX trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\khihhe.dll.vir a variant of Win32/Kryptik.DOX trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\qomjhg.dll.vir a variant of Win32/Kryptik.DOX trojan
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ssrqol.dll.vir a variant of Win32/Kryptik.DOX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1096\A0142194.dll a variant of Win32/Kryptik.DOX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1096\A0142195.dll a variant of Win32/Kryptik.DOX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1096\A0142196.dll a variant of Win32/Kryptik.DOX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1096\A0142197.dll a variant of Win32/Kryptik.DOX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1096\A0142205.dll a variant of Win32/Kryptik.DOX trojan
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1096\A0142206.dll a variant of Win32/Kryptik.DOX trojan
C:\WINDOWS\SYSTEM32\ddbxxy.dll a variant of Win32/Kryptik.DOX trojan


DDS (Ver_10-03-17.01) - NTFSx86
Run by Brian at 8:03:42.31 on Wed 04/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1391 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\hp\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hp\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Brian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.1\masqform.exe /RegServer -UpdateCurrentUser
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111\wn111.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\sideact!.lnk - c:\program files\act\SideACT.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: farmersinsurance.com
Trusted Zone: farmersinsurance.com\eagent
Trusted Zone: farmerslife.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/ImgXTwain61.cab
DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/icms/viewers/crystalreportviewers11/ActiveXControls/PrintControl.cab
DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/ImgXDialog61.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://amiuptodate.mcafee.com/vsc/bin/2,0,0,0/McUpdatePortal.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181609387625
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/imagecenter/commonActiveX/ImgX61.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
DPF: {BE8EEE38-A7C5-4674-A6C4-C2D7421FDD10} - hxxps://bie.farmersinsurance.com/prweb/PRServletLDAP1/8gYJ4DHQrCXUTefMjim_tw%5B%5B*/prvisiointerface.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} - hxxp://mobius.farmersinsurance.com/Agent/content/iejpwenu.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5061/mcfscan.cab
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2009-12-18 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-12-18 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-12-18 486280]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\drivers\delusb_51.sys --> c:\windows\system32\drivers\DELUSB_51.sys [?]

=============== Created Last 30 ================

2010-04-27 16:04:00 0 d-----w- c:\program files\ESET
2010-04-26 14:02:13 0 d-sha-r- C:\cmdcons
2010-04-26 13:56:11 98816 ----a-w- c:\windows\sed.exe
2010-04-26 13:56:11 77312 ----a-w- c:\windows\MBR.exe
2010-04-26 13:56:11 261632 ----a-w- c:\windows\PEV.exe
2010-04-26 13:56:11 161792 ----a-w- c:\windows\SWREG.exe
2010-04-19 04:14:25 0 d-----w- c:\program files\trend micro
2010-04-18 03:43:26 20 ----a-w- c:\documents and settings\brian\defogger_reenable
2010-04-17 14:12:36 93184 ---ha-w- c:\windows\system32\ddbxxy.dll

==================== Find3M ====================

2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 02:21:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-11 07:08:38 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-09 11:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 18:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 16:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 16:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys
2007-11-19 03:42:52 461952 ----a-w- c:\windows\inf\wn111\Mrvw245.sys
2007-06-30 23:31:00 212849 ----a-w- c:\program files\hijackthis.zip
2007-05-24 22:58:00 249856 ----a-w- c:\windows\inf\wn111\InsDrv2k.exe
2006-07-05 19:21:50 212992 ----a-w- c:\windows\inf\wn111\CopyWHQLDriver.exe
2005-11-17 23:46:24 845736 ----a-w- c:\windows\inf\wn111\DPInst.exe
2005-02-28 23:31:53 22916 ----a-w- c:\program files\FIGBWU.jpg
2005-02-28 23:31:05 22968 ----a-w- c:\program files\FIGBW.jpg
2005-02-07 06:04:34 3467795 ----a-w- c:\program files\whatif_setup.exe
2005-02-04 02:36:01 864242 ----a-w- c:\program files\lessonNewcustomerleads.pdf
2004-08-28 04:04:52 2609631 ----a-w- c:\program files\aawsepersonal.exe
2001-09-28 23:00:28 164864 ----a-w- c:\program files\UNWISE.EXE
2002-08-29 11:00:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-09-12 21:48:52 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 8:04:25.78 ===============




#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 28 April 2010 - 12:02 PM

You should have checked to remove infections, but don't worry about it now. I still see some malware their that needs dealing with, first run TFC, then delete your copy of combofix and download a new copy, then run it and post back with the new log.


TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):

unite.jpg


#13 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 29 April 2010 - 11:47 AM

ComboFix 10-04-28.08 - Brian 04/29/2010 9:22.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1510 [GMT -7:00]
Running from: c:\documents and settings\Brian\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-29 )))))))))))))))))))))))))))))))
.

2010-04-27 16:04 . 2010-04-27 16:04 -------- d-----w- c:\program files\ESET
2010-04-19 04:14 . 2010-04-19 04:16 -------- d-----w- c:\program files\trend micro
2010-04-19 04:14 . 2010-04-19 04:20 -------- d-----w- C:\rsit
2010-04-17 14:12 . 2010-04-17 14:13 93184 ---ha-w- c:\windows\system32\ddbxxy.dll
2010-04-16 16:03 . 2010-04-16 16:03 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Powercinema
2010-04-16 00:09 . 2010-04-16 00:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-02 14:45 . 2010-04-02 14:45 503808 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\msvcp71.dll
2010-04-02 14:45 . 2010-04-02 14:45 499712 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\jmc.dll
2010-04-02 14:45 . 2010-04-02 14:45 348160 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-74502270-n\msvcr71.dll
2010-04-02 14:45 . 2010-04-02 14:45 61440 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d00f1c5-n\decora-sse.dll
2010-04-02 14:45 . 2010-04-02 14:45 12800 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1d00f1c5-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-29 16:07 . 2003-12-18 12:54 -------- d-----w- c:\program files\Viewpoint
2010-04-27 16:02 . 2003-12-18 12:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-18 03:29 . 2009-09-01 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-02 14:45 . 2003-12-18 12:41 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 14:45 . 2003-12-18 12:41 -------- d-----w- c:\program files\Java
2010-03-30 16:58 . 2009-12-03 17:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 07:46 . 2009-09-01 23:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2009-09-01 23:01 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 17:25 . 2010-03-25 17:25 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-25 17:03 . 2010-03-25 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-25 08:11 . 2010-01-08 07:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-25 08:04 . 2010-03-25 08:04 -------- d-----w- c:\program files\Alwil Software
2010-03-25 01:45 . 2010-03-25 05:12 1381888 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-03-25 01:45 . 2010-03-25 05:12 2095616 ----a-w- c:\windows\Internet Logs\xDBA.tmp
2010-03-24 22:22 . 2007-07-02 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-14 02:21 . 2010-03-14 02:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-14 02:21 . 2010-03-14 02:21 -------- d-----w- c:\program files\LSoft Technologies
2010-03-14 02:21 . 2003-12-18 12:50 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 07:08 . 2007-07-02 16:51 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:28 . 2009-04-03 20:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 16:07 . 2006-11-15 18:26 -------- d-----w- c:\documents and settings\Brian\Application Data\Share-to-Web Upload Folder
2010-02-25 06:24 . 2005-04-27 17:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-02 22:30 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 16:10 . 1980-01-01 06:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 1980-01-01 06:00 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2002-08-29 11:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2002-08-29 11:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-09 17:16 . 2010-02-10 06:08 484352 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2007-06-30 23:31 . 2007-06-30 23:30 212849 ----a-w- c:\program files\hijackthis.zip
2005-02-28 23:31 . 2005-02-28 23:31 22916 ----a-w- c:\program files\FIGBWU.jpg
2005-02-28 23:31 . 2005-02-28 23:31 22968 ----a-w- c:\program files\FIGBW.jpg
2005-02-07 06:04 . 2005-02-07 06:04 3467795 ----a-w- c:\program files\whatif_setup.exe
2005-02-04 02:36 . 2005-02-04 02:35 864242 ----a-w- c:\program files\lessonNewcustomerleads.pdf
2004-08-28 04:04 . 2004-08-28 04:04 2609631 ----a-w- c:\program files\aawsepersonal.exe
2001-09-28 23:00 . 2004-08-28 01:50 164864 ----a-w- c:\program files\UNWISE.EXE
2002-08-29 11:00 . 2002-08-29 11:00 94784 --sh--w- c:\windows\TWAIN.DLL
2008-04-14 00:12 . 2002-08-29 11:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2002-08-29 11:00 1028096 --sha-w- c:\windows\SYSTEM32\mfc42.dll
2008-04-14 00:12 . 2002-08-29 11:00 57344 --sha-w- c:\windows\SYSTEM32\msvcirt.dll
2008-04-14 00:12 . 2002-08-29 11:00 413696 --sha-w- c:\windows\SYSTEM32\msvcp60.dll
2008-04-14 00:12 . 2002-08-29 11:00 11776 --sh--w- c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-27_04.23.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-29 16:09 . 2010-04-29 16:09 16384 c:\windows\Temp\Perflib_Perfdata_814.dat
+ 2010-04-29 16:08 . 2010-04-29 16:08 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-01-23 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-12-18 26112]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 53248]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.1\masqform.exe" [2004-04-19 634880]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"HP Software Update"="c:\program files\hp\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\hp\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
NETGEAR WN111 Smart Wizard.lnk - c:\program files\NETGEAR\WN111\wn111.exe [2008-4-1 2121728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
SideACT!.lnk - c:\program files\ACT\SideACT.exe [2004-4-23 278589]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\ACT\\ActUpdt.exe"=
"c:\\\\windows\\\\explorer.exe"= c:\\WINDOWS\\Explorer.EXE
"c:\\WINDOWS\\SYSTEM32\\ZoneLabs\\vsmon.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 6:30 AM 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [10/14/2009 6:30 AM 476528]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 PRISM_USB;Dell TrueMobile 1180 Wireless USB Adapter;c:\windows\system32\DRIVERS\DELUSB_51.sys --> c:\windows\system32\DRIVERS\DELUSB_51.sys [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [3/13/2010 7:21 PM 691696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2003-12-26 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12]

2010-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: farmersinsurance.com
Trusted Zone: farmersinsurance.com\eagent
Trusted Zone: farmerslife.com\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} -
DPF: {BE8EEE38-A7C5-4674-A6C4-C2D7421FDD10} - hxxps://bie.farmersinsurance.com/prweb/PRServletLDAP1/8gYJ4DHQrCXUTefMjim_tw%5B%5B*/prvisiointerface.cab
DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} - hxxp://mobius.farmersinsurance.com/Agent/content/iejpwenu.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-29 09:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'lsass.exe'(692)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(108)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-29 09:36:47
ComboFix-quarantined-files.txt 2010-04-29 16:36
ComboFix2.txt 2010-04-27 04:27
ComboFix3.txt 2010-04-26 14:38

Pre-Run: 14,607,220,736 bytes free
Post-Run: 14,574,247,936 bytes free

- - End Of File - - 949395E16E86C1ACED732666FA356CA7


#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:42 PM

Posted 30 April 2010 - 10:54 AM

Hi,

Clear the Java Runtime Environment (JRE) cache
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    -The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click "Delete Files".
    -The Delete Temporary Files dialog box appears.
    -There are two options here to clear the cache, check them both.
  • Applications and Applets
  • Trace and log files
  • Click "OK" on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click "OK" on Temporary Files Settings window.
  • Close the Java Control Panel.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/310939/hijack-this-log-file/

Collect::
c:\windows\system32\ddbxxy.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#15 fogde

fogde
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 30 April 2010 - 11:13 AM

it said there was a newer version of combofix do i want to download it i click yes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users