Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser hijack, unable to do windows update, a popup, then blue screen...


  • This topic is locked This topic is locked
26 replies to this topic

#1 whippit1

whippit1

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 05 May 2010 - 07:04 AM

Let me start off by saying I sincerely need help please.
I was handed this computer and asked to see if I could run windows update by my aunt because for some reason she couldn't. She had Comodo internet security installed but disabled huh.gif I still don't understand that so I enabled and tried to update it. Comodo showed it was updated. Whats the use of having it if it's off. Then I tried to run microsoft update from the start menu. I can load in the browser the microsoft sight itself. Can open the start menu, click microsoft update, takes me to the sight, shows the screen about the active x control for about 15 seconds then goes to the error screen with an error code of : 0x80072EFF As soon as that screen loads another browser window opens and is directed to some random sight. I then tried the windows update in the start menu only to get a general 404 error screen (Internet exlorer cannot display this web page, diagnose error etc etc etc) I have searched for a solution to the error code but have found nothing that helps. I went through the steps of registering the dll's, editing the hosts file, turning off and on antivirus, firewall, and anything else I thought might help. Still couldn't update. That's when I decided to post here.

Before I became registered and logged in completely this unhappy little computer popped up with a window that looked "hinky" with a microsoft update look to it, it was Antimalware Doctor Upgrade notice KB914187. Now knowing that windows update is not working I closed this window. I was then inundated with pop up windows that said "files (wmiprvse.exe, uxq9by.exe, pmw.exe just to name a few) are infected. Would you like to activate antivirus now? I tried to close these using the x but couldn't. I clicked no, and in retrospect should have just shut the computer down because I think I made it worse. I tried to shut down using task manager but was unable to. I forced it to shut down by holding the power button.
Upon restart I was greeted with a blue screen that said a problem has been detected and windows has been shut down etc etc...
Technical information:
***STOP: 0x00000024 (0x001902FE, 0xF7A6194C, 0F7A61648, 0XEED961F2)
*** zdrjsjnhj9.sys - Address EED961f2 base at EED89000, DateStamp 4b4789ac

I restarted to safe mode after that so I could run a hijackthis scan. I have tried to insert the log here but the system tells me I have an old version of hijack and need to download a new one. I'll download that and post the log file after work. I appreciate your time and patience in this matter. Thank you.

Mod EDIT: Merged two posts and moved to the proper forum~~ boopme

I finally was able to get back online and am now posting my hijack log. Please take a look and let me know what my next best step would be please.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:31:00 AM, on 5/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\user.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\debug.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Application Data\U3\08772013D9D0F4AD\LaunchPad.exe
F:\hijack\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\WINDOWS\system32\l628r.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\l628r.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: HopSurf toolbar - {E9FAB13D-4600-49E1-90D1-EE961C859D39} - C:\Program Files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O4 - HKLM\..\Run: [14484] C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\khvcol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [gotnewupdate000.exe] C:\Documents and Settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD\gotnewupdate000.exe
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\services.exe
O4 - HKLM\..\Policies\Explorer\Run: [50pfo] C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\uxq9by.exe
O4 - HKUS\S-1-5-18\..\Run: [hsf87sdhfush87fsufhuie3fddf] C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\l5r1zjxv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [mcexecwin] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\ab3szs.dll, RestoreWindows (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\iexplarer.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [hsf87sdhfush87fsufhuie3fddf] C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\l5r1zjxv.exe (User 'Default user')
O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD\gotnewupdate000.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HopSurf - {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - C:\Program Files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Sally's%20Spa/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1244560984453
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Sally's%20Spa/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3E776C6-49CF-46B3-BB85-929D6866D6B1}: NameServer = 93.188.163.173,93.188.161.199
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4FDC47A-8EA3-4CD1-8E47-93D51B15879A}: NameServer = 93.188.163.173,93.188.161.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.173,93.188.161.199
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.173,93.188.161.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.173,93.188.161.199
O21 - SSODL: GootkitSSO - {B1F2515A-A3E9-48A7-9D40-7C474FDC744D} - C:\WINDOWS\System32\msxsltsso.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\l628r.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8361 bytes

Edited by boopme, 07 May 2010 - 01:24 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 07 May 2010 - 01:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 May 2010 - 01:38 PM

I had to run both of these scans in safe mode. The pc would not boot normally I received the blue error screen same as before.
The browser would also not let me "copy past" the gmer log so it is attached to this post.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Administrator at 9:23:27.54 on Mon 05/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.758 [GMT -5:00]

AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Application Data\U3\08772013D9D0F4AD\LaunchPad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: c:\windows\system32\l628r.dll: {a2ba40a0-74f1-52bd-f411-00b15a2c8953} - c:\windows\system32\l628r.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.8.0\IEViewBar.dll
TB: Foxit Toolbar:

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 11 May 2010 - 03:06 PM

Hello, whippit1
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 14 May 2010 - 05:28 PM

Hi Tom,
Thank you for helping me!
I am not sure if I'm doing something wrong but I cannot seem to find the option anywhere to show hidden files. As mentioned before I am running in safe mode because this computer will not load for me any other way. I get the same blue screen with the error codes exactly the same as listed above when I try to boot normally.
If being in safe mode is not a problem please let me know. If there is a way to get out of safe mode and enter normally please direct me. Either way, I will follow all your directions exactly.
Jess

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 17 May 2010 - 09:22 AM

Please follow the step with Combofix smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 19 May 2010 - 07:51 AM

ComboFix 10-05-17.05 - Administrator 05/19/2010 6:30.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.765 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\schrauber.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\services.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD
c:\documents and settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD\enemies-names.txt
c:\documents and settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD\gotnewupdate000.exe
c:\documents and settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD\hookdll.dll
c:\documents and settings\Administrator\Application Data\2B20F53E882BAB16E028FA8830B4F2FD\lsrslt.ini
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk
c:\documents and settings\Administrator\Start Menu\Antimalware Doctor.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\Antimalware Doctor.lnk
C:\lsass.exe
c:\program files\ezLife
c:\program files\ezLife\ezLife\1.5.5.0\uninstall.exe
c:\program files\Internet Explorer\js.mui
c:\program files\Mozilla Firefox\patch.exe
c:\program files\Smart-Ads-Solutions
c:\program files\Smart-Ads-Solutions\SmartAds\1.5.5.0\uninstall.exe
c:\windows\system32\8cb6910.log
c:\windows\system32\bbGZhxyt.dll
c:\windows\system32\config\systemprofile\reader_s.exe
c:\windows\system32\cooper.mine
c:\windows\system32\driVERs\sgloh.sys
c:\windows\system32\drivers\zdrjsjnhj9.sys
c:\windows\system32\gjoaebzonh.dll
c:\windows\system32\h7t.wt
c:\windows\system32\hgtd.ruy
c:\windows\system32\l628r.dll
c:\windows\system32\msxsltsso.dll
c:\windows\system32\net.net
c:\windows\system32\nmklo.dll
c:\windows\system32\ygtnznpv.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Infected copy of c:\windows\system32\drivers\IntelIde.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sgloh
-------\Legacy_zdrjsjnhj9
-------\Service_sgloh
-------\Service_zdrjsjnhj9


((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-05 00:02 . 2010-05-05 00:02 -------- d-----w- C:\spoolerlogs
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-05-04 23:59 . 2010-05-04 23:59 50990 ----a-w- c:\windows\system32\jvgnggqnmia.exe
2010-05-04 23:57 . 2010-05-04 23:57 99840 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00003081.dll
2010-05-04 23:55 . 2010-05-05 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-04 02:41 . 2010-05-04 02:50 -------- d--h--w- c:\windows\msdownld.tmp
2010-05-04 01:04 . 2010-05-04 01:04 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-05-03 23:59 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-05-03 23:59 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-05-03 23:59 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-05-03 23:58 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-05-03 23:58 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-05-03 23:58 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-05-03 23:58 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-05-03 23:58 . 2004-08-04 03:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-05-03 23:57 . 2004-08-04 03:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-05-03 23:57 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-03 23:57 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-05-03 23:57 . 2004-08-04 03:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-05-03 23:57 . 2001-08-17 17:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-05-03 23:57 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-05-03 23:57 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-05-03 23:57 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-03 23:55 . 2001-08-17 17:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-05-03 23:54 . 2001-08-18 03:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-05-03 23:54 . 2001-08-18 03:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-05-03 23:54 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-05-03 23:54 . 2001-08-18 03:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-05-03 23:54 . 2001-08-18 03:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-05-03 23:54 . 2001-08-17 18:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-05-03 23:54 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-05-03 23:54 . 2001-08-18 03:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-05-03 23:54 . 2001-08-18 03:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-05-03 23:54 . 2001-08-18 03:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-05-03 23:54 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-05-03 23:54 . 2001-08-17 18:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-05-03 23:52 . 2001-08-17 17:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-05-03 23:52 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-05-03 23:52 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-05-03 23:52 . 2008-04-13 18:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-05-03 23:52 . 2001-08-17 17:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-05-03 23:52 . 2001-08-17 17:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-05-03 23:52 . 2001-08-17 18:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-05-03 23:52 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-05-03 23:52 . 2001-08-17 17:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-05-03 23:52 . 2001-08-17 19:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-05-03 23:52 . 2001-08-17 19:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-05-03 23:50 . 2001-08-17 17:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-05-03 23:50 . 2001-08-18 03:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-05-03 23:50 . 2001-08-18 03:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-05-03 23:50 . 2001-08-17 18:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-05-03 23:50 . 2001-08-18 03:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-05-03 23:50 . 2001-08-17 19:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-05-03 23:50 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-03 23:50 . 2001-08-17 17:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-05-03 23:50 . 2001-08-18 03:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-05-03 23:50 . 2001-08-17 17:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-05-03 23:50 . 2001-08-17 18:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-05-03 23:50 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-05-03 23:50 . 2001-08-17 18:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-05-03 23:48 . 2001-08-17 17:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-05-03 23:47 . 2001-08-18 03:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-05-03 23:47 . 2001-08-17 17:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-05-03 23:47 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-03 23:47 . 2001-08-17 18:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2010-05-03 23:47 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-05-03 23:47 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-05-03 23:47 . 2001-08-17 18:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2010-05-03 23:47 . 2001-08-17 18:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-05-03 23:47 . 2001-08-17 18:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-05-03 23:47 . 2008-04-13 18:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-05-03 23:47 . 2001-08-18 03:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-05-03 23:45 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-05-03 23:45 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-05-03 23:45 . 2001-08-18 03:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-05-03 23:45 . 2001-08-17 17:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-05-03 23:45 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-05-03 23:45 . 2001-08-17 17:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-05-03 23:45 . 2001-08-18 03:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-05-03 23:45 . 2001-08-17 18:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-05-03 23:45 . 2001-08-17 18:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-05-03 23:45 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-05-03 23:45 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-05-03 23:45 . 2001-08-17 18:53 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-05-03 23:43 . 2001-08-17 18:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-05-03 23:42 . 2001-08-18 03:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe
2010-05-03 23:41 . 2001-08-17 19:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-05-03 23:41 . 2001-08-17 19:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-05-03 23:41 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-05-03 23:41 . 2001-08-17 18:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-05-03 23:41 . 2001-08-17 17:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-05-03 23:41 . 2001-08-17 17:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-05-03 23:41 . 2001-08-17 17:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-05-03 23:41 . 2008-04-13 18:46 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-03 23:41 . 2001-08-17 17:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-05-03 23:41 . 2001-08-18 03:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-05-03 23:41 . 2001-08-17 17:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-05-03 23:41 . 2001-08-17 18:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-05-03 23:41 . 2001-08-17 18:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-05-03 23:39 . 2001-08-17 19:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2010-05-03 23:39 . 2001-08-17 17:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-05-03 23:39 . 2001-08-17 17:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-05-03 23:39 . 2001-08-17 18:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-03 23:39 . 2001-08-18 03:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-05-03 23:39 . 2001-08-17 18:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-05-03 23:39 . 2001-08-18 03:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-05-03 23:39 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-05-03 23:39 . 2001-08-17 17:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-05-03 23:39 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-05-03 23:39 . 2001-08-17 18:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-03 23:38 . 2001-08-17 19:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-03 23:38 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-03 23:38 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-03 23:38 . 2001-08-17 18:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-03 23:38 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-03 23:38 . 2001-08-17 18:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-03 23:38 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-03 23:38 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-05-03 23:36 . 2001-08-17 18:28 727786 -c--a-w- c:\windows\system32\dllcache\ltck000c.sys
2010-05-03 23:35 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-05-03 23:34 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-05-03 23:34 . 2001-08-17 19:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 11:41 . 2004-08-04 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2010-05-19 11:09 . 2006-08-04 22:51 5504 ----a-w- c:\windows\system32\drivers\IntelIde.sys
2010-05-14 22:11 . 2009-06-08 22:56 64368 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 23:11 . 2009-06-09 15:44 -------- d-----w- c:\program files\DL
2010-05-03 21:23 . 2009-10-29 14:02 -------- d-----w- c:\program files\Coupons
2010-05-03 20:54 . 2006-08-05 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 19:08 . 2006-08-11 13:53 63792 -c--a-w- c:\documents and settings\Rich (dad)\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 17:12 . 2006-08-10 00:22 63792 -c--a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 16:51 . 2006-12-24 04:53 -------- d-----w- c:\documents and settings\Sarah\Application Data\Apple Computer
2010-05-01 16:48 . 2008-03-27 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-01 16:45 . 2006-08-11 04:39 -------- d-----w- c:\documents and settings\Sarah\Application Data\LimeWire
2010-05-01 15:08 . 2008-06-30 20:20 -------- d-----w- c:\documents and settings\Sarah\Application Data\U3
2010-04-23 21:46 . 2010-04-23 21:46 1510584 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe
2010-04-23 21:46 . 2010-04-23 21:46 5542592 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe
2010-04-23 20:22 . 2006-08-09 22:58 -------- d-----w- c:\documents and settings\Sarah\Application Data\Lavasoft
2010-04-09 06:26 . 2010-04-09 06:26 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 06:25 . 2010-04-09 06:25 86800 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-04-09 06:25 . 2010-04-09 06:25 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 06:25 . 2010-04-09 06:25 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 06:25 . 2010-04-09 06:25 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-05 03:08 . 2009-08-18 23:55 -------- d-----w- c:\program files\RealArcade
2010-04-05 03:08 . 2007-06-17 03:43 -------- d-----w- c:\program files\Oberon Media
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 01:58 . 2010-02-19 01:58 30952 ----a-w- c:\documents and settings\Administrator\Application Data\FixIt\mpsyschk.exe
.
Infected c:\windows\system32\user32.dll hex repaired


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\twain_32\ca561a\SnapDetect.exe [2009-7-20 65536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-04-21 23:03 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-06-07 17:35 319488 -c--a-w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-06 16:07 114688 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-06 16:19 155648 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-01-08 19:54 65536 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo

#8 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 19 May 2010 - 08:13 AM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"MDM"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:16

Attached Files


Edited by whippit1, 19 May 2010 - 08:26 AM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 21 May 2010 - 09:21 AM

Hi,

Please delete your copy of Combofix and download a fresh one, let it run and post back with the content of the logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 23 May 2010 - 10:51 AM

ComboFix 10-05-22.03 - Administrator 05/23/2010 10:32:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.774 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Rich (dad)\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Sarah\Application Data\Microsoft\HTML Help\hh.dat

Infected copy of c:\windows\system32\drivers\IntelIde.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-05 00:02 . 2010-05-05 00:02 -------- d-----w- C:\spoolerlogs
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-05-04 23:59 . 2010-05-04 23:59 50990 ----a-w- c:\windows\system32\jvgnggqnmia.exe
2010-05-04 23:57 . 2010-05-04 23:57 99840 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00003081.dll
2010-05-04 23:55 . 2010-05-05 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-04 02:41 . 2010-05-04 02:50 -------- d--h--w- c:\windows\msdownld.tmp
2010-05-04 01:04 . 2010-05-04 01:04 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-05-03 23:59 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-05-03 23:59 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-05-03 23:59 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-05-03 23:58 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-05-03 23:58 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-05-03 23:58 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-05-03 23:58 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-05-03 23:58 . 2004-08-04 03:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-05-03 23:57 . 2004-08-04 03:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-05-03 23:57 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-03 23:57 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-05-03 23:57 . 2004-08-04 03:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-05-03 23:57 . 2001-08-17 17:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-05-03 23:57 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-05-03 23:57 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-05-03 23:57 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-03 23:55 . 2001-08-17 17:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-05-03 23:54 . 2001-08-18 03:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-05-03 23:54 . 2001-08-18 03:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-05-03 23:54 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-05-03 23:54 . 2001-08-18 03:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-05-03 23:54 . 2001-08-18 03:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-05-03 23:54 . 2001-08-17 18:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-05-03 23:54 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-05-03 23:54 . 2001-08-18 03:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-05-03 23:54 . 2001-08-18 03:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-05-03 23:54 . 2001-08-18 03:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-05-03 23:54 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-05-03 23:54 . 2001-08-17 18:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-05-03 23:52 . 2001-08-17 17:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-05-03 23:52 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-05-03 23:52 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-05-03 23:52 . 2008-04-13 18:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-05-03 23:52 . 2001-08-17 17:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-05-03 23:52 . 2001-08-17 17:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-05-03 23:52 . 2001-08-17 18:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-05-03 23:52 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-05-03 23:52 . 2001-08-17 17:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-05-03 23:52 . 2001-08-17 19:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-05-03 23:52 . 2001-08-17 19:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-05-03 23:50 . 2001-08-17 17:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-05-03 23:50 . 2001-08-18 03:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-05-03 23:50 . 2001-08-18 03:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-05-03 23:50 . 2001-08-17 18:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-05-03 23:50 . 2001-08-18 03:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-05-03 23:50 . 2001-08-17 19:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-05-03 23:50 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-03 23:50 . 2001-08-17 17:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-05-03 23:50 . 2001-08-18 03:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-05-03 23:50 . 2001-08-17 17:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-05-03 23:50 . 2001-08-17 18:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-05-03 23:50 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-05-03 23:50 . 2001-08-17 18:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-05-03 23:48 . 2001-08-17 17:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-05-03 23:47 . 2001-08-18 03:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-05-03 23:47 . 2001-08-17 17:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-05-03 23:47 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-03 23:47 . 2001-08-17 18:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2010-05-03 23:47 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-05-03 23:47 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-05-03 23:47 . 2001-08-17 18:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2010-05-03 23:47 . 2001-08-17 18:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-05-03 23:47 . 2001-08-17 18:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-05-03 23:47 . 2008-04-13 18:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-05-03 23:47 . 2001-08-18 03:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-05-03 23:45 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-05-03 23:45 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-05-03 23:45 . 2001-08-18 03:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-05-03 23:45 . 2001-08-17 17:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-05-03 23:45 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-05-03 23:45 . 2001-08-17 17:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-05-03 23:45 . 2001-08-18 03:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-05-03 23:45 . 2001-08-17 18:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-05-03 23:45 . 2001-08-17 18:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-05-03 23:45 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-05-03 23:45 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-05-03 23:45 . 2001-08-17 18:53 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-05-03 23:43 . 2001-08-17 18:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-05-03 23:42 . 2001-08-18 03:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe
2010-05-03 23:41 . 2001-08-17 19:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-05-03 23:41 . 2001-08-17 19:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-05-03 23:41 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-05-03 23:41 . 2001-08-17 18:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-05-03 23:41 . 2001-08-17 17:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-05-03 23:41 . 2001-08-17 17:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-05-03 23:41 . 2001-08-17 17:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-05-03 23:41 . 2008-04-13 18:46 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-03 23:41 . 2001-08-17 17:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-05-03 23:41 . 2001-08-18 03:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-05-03 23:41 . 2001-08-17 17:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-05-03 23:41 . 2001-08-17 18:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-05-03 23:41 . 2001-08-17 18:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-05-03 23:39 . 2001-08-17 19:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2010-05-03 23:39 . 2001-08-17 17:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-05-03 23:39 . 2001-08-17 17:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-05-03 23:39 . 2001-08-17 18:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-03 23:39 . 2001-08-18 03:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-05-03 23:39 . 2001-08-17 18:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-05-03 23:39 . 2001-08-18 03:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-05-03 23:39 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-05-03 23:39 . 2001-08-17 17:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-05-03 23:39 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-05-03 23:39 . 2001-08-17 18:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-03 23:38 . 2001-08-17 19:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-03 23:38 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-03 23:38 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-03 23:38 . 2001-08-17 18:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-03 23:38 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-03 23:38 . 2001-08-17 18:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-03 23:38 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-03 23:38 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-05-03 23:36 . 2001-08-17 18:28 727786 -c--a-w- c:\windows\system32\dllcache\ltck000c.sys
2010-05-03 23:35 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-05-03 23:34 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-05-03 23:34 . 2001-08-17 19:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 15:26 . 2006-08-04 22:51 5504 ----a-w- c:\windows\system32\drivers\IntelIde.sys
2010-05-19 11:41 . 2004-08-04 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2010-05-14 22:11 . 2009-06-08 22:56 64368 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 23:11 . 2009-06-09 15:44 -------- d-----w- c:\program files\DL
2010-05-03 21:23 . 2009-10-29 14:02 -------- d-----w- c:\program files\Coupons
2010-05-03 20:54 . 2006-08-05 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 19:08 . 2006-08-11 13:53 63792 -c--a-w- c:\documents and settings\Rich (dad)\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 17:12 . 2006-08-10 00:22 63792 -c--a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 16:51 . 2006-12-24 04:53 -------- d-----w- c:\documents and settings\Sarah\Application Data\Apple Computer
2010-05-01 16:48 . 2008-03-27 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-01 16:45 . 2006-08-11 04:39 -------- d-----w- c:\documents and settings\Sarah\Application Data\LimeWire
2010-05-01 15:08 . 2008-06-30 20:20 -------- d-----w- c:\documents and settings\Sarah\Application Data\U3
2010-04-23 20:22 . 2006-08-09 22:58 -------- d-----w- c:\documents and settings\Sarah\Application Data\Lavasoft
2010-04-05 03:08 . 2009-08-18 23:55 -------- d-----w- c:\program files\RealArcade
2010-04-05 03:08 . 2007-06-17 03:43 -------- d-----w- c:\program files\Oberon Media
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\twain_32\ca561a\SnapDetect.exe [2009-7-20 65536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-04-21 23:03 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-06-07 17:35 319488 -c--a-w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-06 16:07 114688 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-06 16:19 155648 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 2

Attached Files



#11 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 23 May 2010 - 10:53 AM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-01-08 19:54 65536 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"MDM"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\par

Edited by whippit1, 23 May 2010 - 10:56 AM.


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 24 May 2010 - 02:05 PM

Hi,

This logfile is incomplete. Can you have a look for C:\Combofix.txt and post it again? Also, did you run the tool in safe mode?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 25 May 2010 - 04:03 PM

Thomas,
After the first run of combofix I was able to log into the regular administrator section not in safe mode. I did however have to uninstall comodo security suite because even after disabling everything as per the instructions I found in the forums here I was still being told by combofix that comodo was still running. I even tried killing every process I knew was linked to it before deleting it and still the warning popped up on the screen. I'm going to try posting the log again from the last scan you told me to run. I'll attach a zip of the log file as well.
Jess

ComboFix 10-05-22.03 - Administrator 05/23/2010 10:32:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.774 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Rich (dad)\Application Data\Microsoft\HTML Help\hh.dat
c:\documents and settings\Sarah\Application Data\Microsoft\HTML Help\hh.dat

Infected copy of c:\windows\system32\drivers\IntelIde.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-05 00:02 . 2010-05-05 00:02 -------- d-----w- C:\spoolerlogs
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-05-04 23:59 . 2010-05-04 23:59 50990 ----a-w- c:\windows\system32\jvgnggqnmia.exe
2010-05-04 23:57 . 2010-05-04 23:57 99840 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\b00003081.dll
2010-05-04 23:55 . 2010-05-05 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-04 02:41 . 2010-05-04 02:50 -------- d--h--w- c:\windows\msdownld.tmp
2010-05-04 01:04 . 2010-05-04 01:04 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-05-03 23:59 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-05-03 23:59 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-05-03 23:59 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-05-03 23:58 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-05-03 23:58 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-05-03 23:58 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-05-03 23:58 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-05-03 23:58 . 2004-08-04 03:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-05-03 23:57 . 2004-08-04 03:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-05-03 23:57 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-03 23:57 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-05-03 23:57 . 2004-08-04 03:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-05-03 23:57 . 2001-08-17 17:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-05-03 23:57 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-05-03 23:57 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-05-03 23:57 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-03 23:55 . 2001-08-17 17:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-05-03 23:54 . 2001-08-18 03:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-05-03 23:54 . 2001-08-18 03:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-05-03 23:54 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-05-03 23:54 . 2001-08-18 03:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-05-03 23:54 . 2001-08-18 03:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-05-03 23:54 . 2001-08-17 18:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-05-03 23:54 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-05-03 23:54 . 2001-08-18 03:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-05-03 23:54 . 2001-08-18 03:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-05-03 23:54 . 2001-08-18 03:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-05-03 23:54 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-05-03 23:54 . 2001-08-17 18:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-05-03 23:52 . 2001-08-17 17:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-05-03 23:52 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-05-03 23:52 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-05-03 23:52 . 2008-04-13 18:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-05-03 23:52 . 2001-08-17 17:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-05-03 23:52 . 2001-08-17 17:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-05-03 23:52 . 2001-08-17 18:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-05-03 23:52 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-05-03 23:52 . 2001-08-17 17:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-05-03 23:52 . 2001-08-17 19:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-05-03 23:52 . 2001-08-17 19:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-05-03 23:50 . 2001-08-17 17:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-05-03 23:50 . 2001-08-18 03:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-05-03 23:50 . 2001-08-18 03:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-05-03 23:50 . 2001-08-17 18:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-05-03 23:50 . 2001-08-18 03:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-05-03 23:50 . 2001-08-17 19:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-05-03 23:50 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-03 23:50 . 2001-08-17 17:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-05-03 23:50 . 2001-08-18 03:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-05-03 23:50 . 2001-08-17 17:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-05-03 23:50 . 2001-08-17 18:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-05-03 23:50 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-05-03 23:50 . 2001-08-17 18:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-05-03 23:48 . 2001-08-17 17:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-05-03 23:47 . 2001-08-18 03:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-05-03 23:47 . 2001-08-17 17:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-05-03 23:47 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-03 23:47 . 2001-08-17 18:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2010-05-03 23:47 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-05-03 23:47 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-05-03 23:47 . 2001-08-17 18:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2010-05-03 23:47 . 2001-08-17 18:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-05-03 23:47 . 2001-08-17 18:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-05-03 23:47 . 2008-04-13 18:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-05-03 23:47 . 2001-08-18 03:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-05-03 23:45 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-05-03 23:45 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-05-03 23:45 . 2001-08-18 03:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-05-03 23:45 . 2001-08-17 17:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-05-03 23:45 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-05-03 23:45 . 2001-08-17 17:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-05-03 23:45 . 2001-08-18 03:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-05-03 23:45 . 2001-08-17 18:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-05-03 23:45 . 2001-08-17 18:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-05-03 23:45 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-05-03 23:45 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-05-03 23:45 . 2001-08-17 18:53 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-05-03 23:43 . 2001-08-17 18:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-05-03 23:42 . 2001-08-18 03:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe
2010-05-03 23:41 . 2001-08-17 19:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-05-03 23:41 . 2001-08-17 19:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-05-03 23:41 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-05-03 23:41 . 2001-08-17 18:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-05-03 23:41 . 2001-08-17 17:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-05-03 23:41 . 2001-08-17 17:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-05-03 23:41 . 2001-08-17 17:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-05-03 23:41 . 2008-04-13 18:46 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-03 23:41 . 2001-08-17 17:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-05-03 23:41 . 2001-08-18 03:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-05-03 23:41 . 2001-08-17 17:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-05-03 23:41 . 2001-08-17 18:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-05-03 23:41 . 2001-08-17 18:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-05-03 23:39 . 2001-08-17 19:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2010-05-03 23:39 . 2001-08-17 17:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-05-03 23:39 . 2001-08-17 17:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-05-03 23:39 . 2001-08-17 18:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-03 23:39 . 2001-08-18 03:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-05-03 23:39 . 2001-08-17 18:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-05-03 23:39 . 2001-08-18 03:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-05-03 23:39 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-05-03 23:39 . 2001-08-17 17:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-05-03 23:39 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-05-03 23:39 . 2001-08-17 18:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-03 23:38 . 2001-08-17 19:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-03 23:38 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-03 23:38 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-03 23:38 . 2001-08-17 18:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-03 23:38 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-03 23:38 . 2001-08-17 18:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-03 23:38 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-03 23:38 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-05-03 23:36 . 2001-08-17 18:28 727786 -c--a-w- c:\windows\system32\dllcache\ltck000c.sys
2010-05-03 23:35 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-05-03 23:34 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-05-03 23:34 . 2001-08-17 19:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 15:26 . 2006-08-04 22:51 5504 ----a-w- c:\windows\system32\drivers\IntelIde.sys
2010-05-19 11:41 . 2004-08-04 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2010-05-14 22:11 . 2009-06-08 22:56 64368 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 23:11 . 2009-06-09 15:44 -------- d-----w- c:\program files\DL
2010-05-03 21:23 . 2009-10-29 14:02 -------- d-----w- c:\program files\Coupons
2010-05-03 20:54 . 2006-08-05 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 19:08 . 2006-08-11 13:53 63792 -c--a-w- c:\documents and settings\Rich (dad)\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 17:12 . 2006-08-10 00:22 63792 -c--a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 16:51 . 2006-12-24 04:53 -------- d-----w- c:\documents and settings\Sarah\Application Data\Apple Computer
2010-05-01 16:48 . 2008-03-27 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-01 16:45 . 2006-08-11 04:39 -------- d-----w- c:\documents and settings\Sarah\Application Data\LimeWire
2010-05-01 15:08 . 2008-06-30 20:20 -------- d-----w- c:\documents and settings\Sarah\Application Data\U3
2010-04-23 20:22 . 2006-08-09 22:58 -------- d-----w- c:\documents and settings\Sarah\Application Data\Lavasoft
2010-04-05 03:08 . 2009-08-18 23:55 -------- d-----w- c:\program files\RealArcade
2010-04-05 03:08 . 2007-06-17 03:43 -------- d-----w- c:\program files\Oberon Media
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\twain_32\ca561a\SnapDetect.exe [2009-7-20 65536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-04-21 23:03 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-06-07 17:35 319488 -c--a-w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-06 16:07 114688 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-06 16:19 155648 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-01-08 19:54 65536 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"MDM"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:16 PM 24652]
.
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
TCP: {C3E776C6-49CF-46B3-BB85-929D6866D6B1} = 67.158.184.12,67.158.184.11
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kimryps6.default\
FF - prefs.js: browser.search.selectedEngine - Google.com Search
FF - component: c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\components\adproFfx.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.33\NPSceneCaster.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 10:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F0AAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7676f28
\Driver\ACPI -> ACPI.sys @ 0xf75e9cb8
\Driver\atapi -> atapi.sys @ 0xf757b7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7474bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7481a21
SendHandler -> NDIS.sys @ 0xf745f87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1078081533-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,5b,06,9a,ba,a9,af,45,a1,3f,ef,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,5b,06,9a,ba,a9,af,45,a1,3f,ef,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1260)
c:\windows\system32\WININET.dll
c:\windows\system32\sxs.dll

- - - - - - - > 'lsass.exe'(1320)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-23 10:49:30
ComboFix-quarantined-files.txt 2010-05-23 15:49
ComboFix2.txt 2010-05-19 12:42

Pre-Run: 21,343,305,728 bytes free
Post-Run: 21,301,088,256 bytes free

- - End Of File - - 9D60767437E2EA391332B15042DDAE04

Attached Files


Edited by whippit1, 25 May 2010 - 04:05 PM.


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:08:23 AM

Posted 27 May 2010 - 12:09 AM

Hi,


Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/314904/browser-hijack-unable-to-do-windows-update-a-popup-then-blue-screen/

Collect::
c:\windows\system32\jvgnggqnmia.exe
c:\windows\system32\Spool\prtprocs\w32x86\b00003081.dll


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.






You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

NEXT:

Once back in Windows, go to Start > Run, and copy/paste the following then press Enter.

maxlook -sig


Post the log in your next reply
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 whippit1

whippit1
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 29 May 2010 - 12:49 PM

ComboFix 10-05-28.08 - Administrator 05/29/2010 11:16:57.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.775 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

file zipped: c:\windows\system32\jvgnggqnmia.exe
file zipped: c:\windows\system32\Spool\prtprocs\w32x86\b00003081.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jvgnggqnmia.exe
c:\windows\system32\Spool\prtprocs\w32x86\b00003081.dll

Infected copy of c:\windows\system32\drivers\IntelIde.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.

2010-05-23 15:51 . 2010-05-23 15:51 6444 ----a-w- C:\ComboFix.zip
2010-05-05 00:02 . 2010-05-05 00:02 -------- d-----w- C:\spoolerlogs
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-04 23:59 . 2010-05-04 23:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-05-04 23:55 . 2010-05-05 11:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-04 02:41 . 2010-05-04 02:50 -------- d--h--w- c:\windows\msdownld.tmp
2010-05-04 01:04 . 2010-05-04 01:04 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-05-03 23:59 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-05-03 23:59 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-05-03 23:59 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-05-03 23:58 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-05-03 23:58 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-05-03 23:58 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-05-03 23:58 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-05-03 23:58 . 2004-08-04 03:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-05-03 23:57 . 2004-08-04 03:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-05-03 23:57 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-03 23:57 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-05-03 23:57 . 2004-08-04 03:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-05-03 23:57 . 2001-08-17 17:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-05-03 23:57 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-05-03 23:57 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-05-03 23:57 . 2001-08-18 03:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-05-03 23:55 . 2001-08-17 17:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2010-05-03 23:54 . 2001-08-18 03:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-05-03 23:54 . 2001-08-18 03:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2010-05-03 23:54 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2010-05-03 23:54 . 2001-08-18 03:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2010-05-03 23:54 . 2001-08-18 03:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2010-05-03 23:54 . 2001-08-17 18:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2010-05-03 23:54 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-05-03 23:54 . 2001-08-18 03:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2010-05-03 23:54 . 2001-08-18 03:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2010-05-03 23:54 . 2001-08-18 03:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2010-05-03 23:54 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2010-05-03 23:54 . 2001-08-17 18:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-05-03 23:52 . 2001-08-17 17:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2010-05-03 23:52 . 2001-08-17 17:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-05-03 23:52 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2010-05-03 23:52 . 2008-04-13 18:40 149376 -c--a-w- c:\windows\system32\dllcache\tffsport.sys
2010-05-03 23:52 . 2001-08-17 17:13 17129 -c--a-w- c:\windows\system32\dllcache\tdkcd31.sys
2010-05-03 23:52 . 2001-08-17 17:13 37961 -c--a-w- c:\windows\system32\dllcache\tdk100b.sys
2010-05-03 23:52 . 2001-08-17 18:49 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2010-05-03 23:52 . 2001-08-17 18:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys
2010-05-03 23:52 . 2001-08-17 17:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2010-05-03 23:52 . 2001-08-17 19:56 172768 -c--a-w- c:\windows\system32\dllcache\t2r4disp.dll
2010-05-03 23:52 . 2001-08-17 19:07 32640 -c--a-w- c:\windows\system32\dllcache\symc8xx.sys
2010-05-03 23:50 . 2001-08-17 17:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-05-03 23:50 . 2001-08-18 03:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2010-05-03 23:50 . 2001-08-18 03:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2010-05-03 23:50 . 2001-08-17 18:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-05-03 23:50 . 2001-08-18 03:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2010-05-03 23:50 . 2001-08-17 19:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2010-05-03 23:50 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-03 23:50 . 2001-08-17 17:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-05-03 23:50 . 2001-08-18 03:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2010-05-03 23:50 . 2001-08-17 17:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2010-05-03 23:50 . 2001-08-17 18:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2010-05-03 23:50 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2010-05-03 23:50 . 2001-08-17 18:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2010-05-03 23:48 . 2001-08-17 17:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-05-03 23:47 . 2001-08-18 03:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-05-03 23:47 . 2001-08-17 17:19 36480 -c--a-w- c:\windows\system32\dllcache\sfmanm.sys
2010-05-03 23:47 . 2001-08-17 18:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-05-03 23:47 . 2001-08-17 18:48 17664 -c--a-w- c:\windows\system32\dllcache\sermouse.sys
2010-05-03 23:47 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2010-05-03 23:47 . 2008-04-13 18:45 11520 -c--a-w- c:\windows\system32\dllcache\scsiscan.sys
2010-05-03 23:47 . 2001-08-17 18:52 11648 -c--a-w- c:\windows\system32\dllcache\scsiprnt.sys
2010-05-03 23:47 . 2001-08-17 18:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-05-03 23:47 . 2001-08-17 18:51 16640 -c--a-w- c:\windows\system32\dllcache\scmstcs.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmusbm.sys
2010-05-03 23:47 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2010-05-03 23:47 . 2008-04-13 18:40 43904 -c--a-w- c:\windows\system32\dllcache\sbp2port.sys
2010-05-03 23:47 . 2001-08-18 03:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-05-03 23:45 . 2001-08-17 17:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-05-03 23:45 . 2001-08-17 17:19 30720 -c--a-w- c:\windows\system32\dllcache\rthwcls.sys
2010-05-03 23:45 . 2001-08-18 03:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2010-05-03 23:45 . 2001-08-17 17:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2010-05-03 23:45 . 2008-04-13 18:40 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2010-05-03 23:45 . 2001-08-17 17:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2010-05-03 23:45 . 2001-08-18 03:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2010-05-03 23:45 . 2001-08-17 18:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-05-03 23:45 . 2001-08-17 18:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2010-05-03 23:45 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2010-05-03 23:45 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2010-05-03 23:45 . 2001-08-17 18:53 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2010-05-03 23:43 . 2001-08-17 18:53 7168 -c--a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-05-03 23:42 . 2001-08-18 03:36 86016 -c--a-w- c:\windows\system32\dllcache\pctspk.exe
2010-05-03 23:41 . 2001-08-17 19:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-05-03 23:41 . 2001-08-17 19:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-05-03 23:41 . 2001-08-17 19:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-05-03 23:41 . 2001-08-17 18:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-05-03 23:41 . 2001-08-17 17:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-05-03 23:41 . 2001-08-17 17:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-05-03 23:41 . 2001-08-17 17:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-05-03 23:41 . 2008-04-13 18:46 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-05-03 23:41 . 2001-08-17 17:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-05-03 23:41 . 2001-08-18 03:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-05-03 23:41 . 2001-08-17 17:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-05-03 23:41 . 2001-08-17 18:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-05-03 23:41 . 2001-08-17 18:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-05-03 23:39 . 2001-08-17 19:56 35392 -c--a-w- c:\windows\system32\dllcache\n9i128.dll
2010-05-03 23:39 . 2001-08-17 17:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-05-03 23:39 . 2001-08-17 17:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-05-03 23:39 . 2001-08-17 18:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-05-03 23:39 . 2001-08-18 03:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-05-03 23:39 . 2001-08-17 18:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-05-03 23:39 . 2001-08-18 03:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-05-03 23:39 . 2001-08-17 18:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-05-03 23:39 . 2001-08-17 17:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-05-03 23:39 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-05-03 23:39 . 2001-08-17 18:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-05-03 23:38 . 2001-08-17 19:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-05-03 23:38 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-05-03 23:38 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-05-03 23:38 . 2001-08-17 18:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-05-03 23:38 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-05-03 23:38 . 2001-08-17 18:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-05-03 23:38 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-05-03 23:38 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-05-03 23:36 . 2001-08-17 18:28 727786 -c--a-w- c:\windows\system32\dllcache\ltck000c.sys
2010-05-03 23:35 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-05-03 23:34 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-05-03 23:34 . 2001-08-17 19:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys
2010-05-03 23:34 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 16:11 . 2006-08-04 22:51 5504 ----a-w- c:\windows\system32\drivers\IntelIde.sys
2010-05-19 11:41 . 2004-08-04 12:00 578560 ----a-w- c:\windows\system32\user32.dll
2010-05-14 22:11 . 2009-06-08 22:56 64368 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 23:11 . 2009-06-09 15:44 -------- d-----w- c:\program files\DL
2010-05-04 03:44 . 2010-04-23 21:59 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-05-03 21:23 . 2009-10-29 14:02 -------- d-----w- c:\program files\Coupons
2010-05-03 20:54 . 2006-08-05 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-02 19:08 . 2006-08-11 13:53 63792 -c--a-w- c:\documents and settings\Rich (dad)\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 17:12 . 2006-08-10 00:22 63792 -c--a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 16:51 . 2006-12-24 04:53 -------- d-----w- c:\documents and settings\Sarah\Application Data\Apple Computer
2010-05-01 16:48 . 2008-03-27 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-01 16:45 . 2006-08-11 04:39 -------- d-----w- c:\documents and settings\Sarah\Application Data\LimeWire
2010-05-01 15:08 . 2008-06-30 20:20 -------- d-----w- c:\documents and settings\Sarah\Application Data\U3
2010-04-25 22:45 . 2010-04-25 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-04-23 22:09 . 2010-04-23 21:47 -------- d-----w- c:\program files\Comodo
2010-04-23 22:07 . 2010-04-23 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-04-23 22:07 . 2010-04-23 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-04-23 21:51 . 2010-04-23 21:51 -------- d-----w- c:\documents and settings\Rich (dad)\Application Data\Research In Motion
2010-04-23 21:47 . 2010-04-23 21:47 -------- d-----w- c:\documents and settings\Rich (dad)\Application Data\Comodo
2010-04-23 21:47 . 2010-04-23 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-23 21:46 . 2010-04-23 21:46 1510584 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\trustconnectclient.exe
2010-04-23 21:46 . 2010-04-23 21:46 5542592 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe
2010-04-23 20:22 . 2006-08-09 22:58 -------- d-----w- c:\documents and settings\Sarah\Application Data\Lavasoft
2010-04-05 03:08 . 2009-08-18 23:55 -------- d-----w- c:\program files\RealArcade
2010-04-05 03:08 . 2007-06-17 03:43 -------- d-----w- c:\program files\Oberon Media
2010-03-10 06:15 . 2004-08-04 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Icatch(VI) SnapDetect.lnk - c:\windows\twain_32\ca561a\SnapDetect.exe [2009-7-20 65536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2008-10-21 17:09 50472 ----a-w- c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-04-21 23:03 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
2006-06-07 17:35 319488 -c--a-w- c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-06 16:07 114688 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-06 16:19 155648 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-01-08 19:54 65536 -c--a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-01-29 03:56 4363504 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"SNDSrvc"=2 (0x2)
"MDM"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/19/2010 5:00 PM 148744]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 6:16 PM 24652]
.
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com\support
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www.update
TCP: {C3E776C6-49CF-46B3-BB85-929D6866D6B1} = 67.158.184.12,67.158.184.11
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kimryps6.default\
FF - prefs.js: browser.search.selectedEngine - Google.com Search
FF - component: c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\components\adproFfx.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.33\NPSceneCaster.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-jvgnggqnmia - c:\windows\system32\jvgnggqnmia.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EC4AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7676f28
\Driver\ACPI -> ACPI.sys @ 0xf75e9cb8
\Driver\atapi -> atapi.sys @ 0xf757b852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7474bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7481a21
SendHandler -> NDIS.sys @ 0xf745f87b
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-1078081533-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,5b,06,9a,ba,a9,af,45,a1,3f,ef,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,5b,06,9a,ba,a9,af,45,a1,3f,ef,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1264)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1324)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2796)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2010-05-29 11:45:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-29 16:45
ComboFix2.txt 2010-05-23 15:49
ComboFix3.txt 2010-05-19 12:42

Pre-Run: 21,256,396,800 bytes free
Post-Run: 21,217,017,856 bytes free

- - End Of File - - 01A556E299C6D8FC73A0492D67A9CD1D



CODE
Run from C:\Documents and Settings\Administrator\Desktop\maxlook.exe on Sat 05/29/2010 at 11:59:28.06

--------- maxlook unsigned files ---------

c:\windows\maxdriver\imagedrv.sys:
    Verified:    Unsigned
    File date:    1:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    NERO IMAGEDRIVE SCSI miniport
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\maxdriver\imagesrv.sys:
    Verified:    Unsigned
    File date:    1:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    Nero Image Server
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\maxdriver\IntelIde.sys:
    Verified:    Unsigned
    File date:    11:11 AM 5/29/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\maxdriver\SMBios.sys:
    Verified:    Unsigned
    File date:    12:10 AM 10/14/2003
    Publisher:    Intel Corporation
    Description:    Intel(R) System Management BIOS Driver
    Product:    Intel (R) System Management BIOS Driver
    Version:    1.0.0.14
    File version:    1.0.0.14
c:\windows\maxdriver\spca561.sys:
    Verified:    Unsigned
    File date:    3:43 PM 10/1/2002
    Publisher:    SP
    Description:    Universal Serial Bus Camera Driver
    Product:    Microsoft(R) Windows NT(R) Operating System
    Version:    1.0.4.8
    File version:    1.0.4.8

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\imagedrv.sys:
    Verified:    Unsigned
    File date:    1:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    NERO IMAGEDRIVE SCSI miniport
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\system32\drivers\imagesrv.sys:
    Verified:    Unsigned
    File date:    1:08 PM 8/15/2005
    Publisher:    Ahead Software AG
    Description:    Nero Image Server
    Product:    Nero ImageDrive
    Version:    2.29.0.0
    File version:    2.29.0.0 built by: WinDDK
c:\windows\system32\drivers\SMBios.sys:
    Verified:    Unsigned
    File date:    12:10 AM 10/14/2003
    Publisher:    Intel Corporation
    Description:    Intel(R) System Management BIOS Driver
    Product:    Intel (R) System Management BIOS Driver
    Version:    1.0.0.14
    File version:    1.0.0.14
c:\windows\system32\drivers\spca561.sys:
    Verified:    Unsigned
    File date:    3:43 PM 10/1/2002
    Publisher:    SP
    Description:    Universal Serial Bus Camera Driver
    Product:    Microsoft(R) Windows NT(R) Operating System
    Version:    1.0.4.8
    File version:    1.0.4.8






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users