Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

B5.tmp and others


  • This topic is locked This topic is locked
24 replies to this topic

#1 ussrsnpr

ussrsnpr

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 19 May 2010 - 11:35 PM

I have a XP pro. running Kaspersky internet security and I keep getting warnings about different **.tmp programs trying to run, I click on "limit" but then a new version comes on later and now I cant get online with IE, Opera or firefox but can with Safari. Please help. I knoe I clicked on something to download without thinking, but Kaspersky stopped it from completing, or so I thought.

BC AdBot (Login to Remove)

 


#2 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 May 2010 - 12:01 AM

Anti virus is up to date, I do update it everyday. will wait for more help...

#3 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 May 2010 - 12:09 AM

now getting warning E8.TMP & E9.TMP spybot running as I type this and finding errors?

#4 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 May 2010 - 12:23 AM

Ok Combo fix is working do I post my log here when done?

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 AM

Posted 20 May 2010 - 01:43 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already run ComboFix, please post the log from it. The log should open upon completion of the tool. However, if it does not for some reason, the log can be found at C:\ComboFix.txt

If you have not run ComboFix. . . Please do not do so yet. Simply reply to this topic letting me know that you haven't run the tool yet. . . and we'll move from there.

Sorry for the bumpy ride so far, should get better from here on out I hope wink.gif

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 May 2010 - 01:48 AM

So as I stated in my reply earlier, I ran combofix last night (like a dumba**) without reading the entire process involved including the part about DoNot run unless instructed to. I swear I saved the log in notepad, can't find it, tried C:\ComboFix.txt and I get "the device is not ready"
Hope you can help a bonehead.

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 AM

Posted 20 May 2010 - 02:08 AM

Hello. . .

QUOTE
tried C:\ComboFix.txt and I get "the device is not ready"


This sounds like you're trying to access a non-permanent drive (CD drive, external HDD, floppy drive, etc.)

The log should be located at the root of whichever drive you have windows installed on. If this is not the C:\ drive. . . as is usually the case, then you will need to look in the root of whichever drive windows is located in.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 May 2010 - 02:11 AM

Blade, I have read your post through twice now so as not to repeat my blunder of last night.
The problem; Kaspersky keeps popping warnings up about suspicious programs all have been .TMP and started about two days ago I finally realized something was going on when I tried to go online and IE cannot open this page showed up. When Kaspersky warns me about the activity I have two options, allow (not recomended) and limit, I have hit limit every time and the the next time the message appears the .TMP prefix has changed, was B5.TMP now we are up to something like E117.TMP.
As stated previously, I ran ComboFix unsupervised, and now in comand prompt I try to retrieve the log and get the message "the device is not ready"

#9 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 20 May 2010 - 02:17 AM

Right again, apparently my drive is E:
So here is the log

ComboFix 10-05-16.02 - home 05/17/2010 23:42:55.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.934 [GMT -7:00]
Running from: e:\documents and settings\home\Local Settings\Temporary Internet Files\Content.IE5\YTNL0FEQ\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\docume~1\home\LOCALS~1\Temp\jna8604629361052110160.dll
e:\documents and settings\All Users\Application Data\Toolbar4
e:\documents and settings\home\Application Data\02000000f2e2ff70916C.manifest
e:\documents and settings\home\Application Data\02000000f2e2ff70916O.manifest
e:\documents and settings\home\Application Data\02000000f2e2ff70916P.manifest
e:\documents and settings\home\Application Data\02000000f2e2ff70916S.manifest
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{fe9767f7-4fbc-467c-823b-988f82e73e52}
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{fe9767f7-4fbc-467c-823b-988f82e73e52}\chrome.manifest
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{fe9767f7-4fbc-467c-823b-988f82e73e52}\chrome\xulcache.jar
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{fe9767f7-4fbc-467c-823b-988f82e73e52}\defaults\preferences\xulcache.js
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{fe9767f7-4fbc-467c-823b-988f82e73e52}\install.rdf
e:\documents and settings\home\Application Data\SystemProc
e:\documents and settings\home\Application Data\SystemProc\lsass.exe
e:\documents and settings\home\Local Settings\Temp\jna8604629361052110160.dll
e:\program files\FunWebProducts
e:\program files\MyWebSearch
e:\program files\MyWebSearch\bar\History\search3
e:\program files\MyWebSearch\bar\Settings\s_pid.dat
e:\program files\MyWebSearch\bar\Settings\setting2.htm
e:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
e:\program files\MyWebSearch\bar\Settings\settings.dat
e:\program files\MyWebSearch\bar\Settings\settings.dat.bak
e:\windows\GnuHashes.ini
e:\windows\system32\1647602019
e:\windows\system32\AbaleZip.dll
e:\windows\system32\DSSENH32.DLL
e:\windows\system32\msssc.dll
e:\windows\system32\SysWoW32
e:\windows\system32\SysWoW32\@u173823070v0
e:\windows\system32\SysWoW32\@u173823070v1
e:\windows\system32\SysWoW32\@u173823070v2
e:\windows\system32\SysWoW32\@u173823070v3
e:\windows\system32\SysWoW32\_u173823070v0
e:\windows\system32\SysWoW32\_u173823070v1
e:\windows\system32\SysWoW32\_u173823070v2
e:\windows\system32\SysWoW32\_u173823070v3
e:\windows\system32\SysWoW32\mu173823070v4
e:\windows\system32\SysWoW32\mu173823070v4.kwd
e:\windows\system32\SysWoW32\mu173823070v5
e:\windows\system32\SysWoW32\mu173823070v5.kwd
e:\windows\system32\SysWoW32\mu173823070v6
e:\windows\system32\SysWoW32\mu173823070v6.kwd
e:\windows\system32\SysWoW32\mu173823070v7
e:\windows\system32\SysWoW32\mu173823070v7.kwd
e:\windows\system32\SysWoW32\wu173823070v0
e:\windows\system32\SysWoW32\wu173823070v0.kwd
e:\windows\system32\SysWoW32\wu173823070v1
e:\windows\system32\SysWoW32\wu173823070v1.kwd
e:\windows\system32\SysWoW32\wu173823070v2
e:\windows\system32\SysWoW32\wu173823070v2.kwd
e:\windows\system32\SysWoW32\wu173823070v3
e:\windows\system32\SysWoW32\wu173823070v3.kwd
e:\windows\system32\unrar.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-18 06:50 . 2010-05-18 06:50 203776 --sh--w- e:\windows\system32\unrar.exe
2010-05-18 06:50 . 2010-05-18 06:50 -------- d-----w- e:\windows\system32\1647602019
2010-05-18 06:50 . 2010-05-18 06:50 -------- d-sh--w- e:\documents and settings\home\Application Data\SystemProc
2010-05-18 05:58 . 2010-05-18 06:11 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2010-05-18 05:58 . 2010-05-18 06:02 -------- d-----w- e:\program files\SpywareBlaster
2010-05-18 04:47 . 2010-05-18 04:51 -------- d-----w- e:\windows\SxsCaPendDel
2010-05-18 04:32 . 2010-05-18 04:32 95024 ----a-w- e:\windows\system32\drivers\SBREDrv.sys
2010-05-18 04:26 . 2010-05-18 05:56 -------- d-----w- e:\documents and settings\All Users\Application Data\Lavasoft
2010-05-16 22:16 . 2010-05-16 22:16 185856 ----a-w- e:\windows\system32\comsvcs32.dll
2010-05-16 22:14 . 2010-05-16 22:14 185856 ----a-w- e:\windows\system32\cdfview32.dll
2010-05-16 22:11 . 2010-05-16 22:11 185856 ----a-w- e:\windows\system32\eapp3hst32.dll
2010-05-08 00:40 . 2010-05-08 00:40 -------- d-----w- e:\program files\iPod
2010-05-08 00:40 . 2010-05-08 00:41 -------- d-----w- e:\program files\iTunes
2010-05-08 00:40 . 2010-05-08 00:41 -------- d-----w- e:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-08 00:33 . 2010-05-08 00:34 -------- d-----w- e:\program files\QuickTime
2010-05-08 00:28 . 2010-05-08 00:28 -------- d-----w- e:\program files\Bonjour
2010-05-08 00:23 . 2010-05-08 00:23 73000 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 03:58 . 2010-04-13 00:29 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-05-03 05:25 . 2010-05-03 05:25 -------- d-----w- e:\documents and settings\All Users\Application Data\IObit
2010-05-02 16:48 . 2010-05-02 16:48 -------- d-----w- e:\documents and settings\home\Application Data\IObit
2010-05-02 16:48 . 2010-05-02 16:48 -------- d-----w- e:\program files\IObit
2010-05-02 16:42 . 2010-05-02 16:42 -------- d-----w- e:\program files\FLV Player
2010-05-02 06:24 . 2010-03-31 06:38 20968 ----a-w- e:\windows\system32\drivers\cpuz133_x32.sys
2010-05-02 06:24 . 2010-05-02 06:24 -------- d-----w- e:\program files\CPUID
2010-04-29 05:09 . 2010-04-29 05:09 -------- d-----w- e:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-29 05:04 . 2010-04-29 05:04 -------- d-----w- e:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-23 05:41 . 2010-04-23 05:41 -------- d-----w- e:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-23 05:36 . 2010-04-23 05:48 77373 ----a-w- e:\windows\hpqins05.dat
2010-04-21 07:11 . 2009-05-16 06:14 1056768 ----a-w- e:\windows\system32\ROBOEX32.DLL
2010-04-21 07:11 . 2009-05-16 06:14 49152 ----a-w- e:\windows\system32\INETWH32.DLL
2010-04-21 07:11 . 2010-04-21 07:11 -------- d-----w- e:\program files\NetObjects
2010-04-21 07:00 . 2002-01-31 07:52 327168 ----a-w- e:\windows\IsUninst.exe
2010-04-21 05:39 . 2010-04-21 05:39 30080 ---ha-w- e:\windows\system32\mlfcache.dat
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- e:\program files\WinSCP
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- e:\program files\Free Offers from Freeze.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 06:50 . 2010-05-18 06:50 284672 ----a-w- e:\windows\system32\ftsrch32.dll
2010-05-18 06:50 . 2010-05-18 06:50 115712 --sha-w- e:\documents and settings\home\Application Data\SystemProc\lsass.exe
2010-05-18 06:50 . 2010-05-18 06:50 1075712 --sha-w- e:\windows\system32\7E.tmp
2010-05-18 06:49 . 2010-02-25 02:27 664 ----a-w- e:\windows\system32\d3d9caps.dat
2010-05-18 06:49 . 2010-02-23 07:19 -------- d-----w- e:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-05-18 06:49 . 2010-02-25 02:27 -------- d-----w- e:\documents and settings\home\Application Data\LimeWire
2010-05-18 06:25 . 2010-02-23 07:27 -------- d-----w- e:\documents and settings\home\Application Data\HPAppData
2010-05-16 22:20 . 2010-05-16 22:20 1075712 --sha-w- e:\windows\system32\7D.tmp
2010-05-16 08:04 . 2010-04-10 07:27 892072 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-15 05:11 . 2010-04-09 01:58 -------- d-----w- e:\documents and settings\home\Application Data\HpUpdate
2010-05-13 07:21 . 2010-02-24 01:36 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-08 00:40 . 2010-03-09 05:02 -------- d-----w- e:\program files\Common Files\Apple
2010-05-06 03:56 . 2010-02-23 07:20 113933 ----a-w- e:\windows\system32\drivers\klin.dat
2010-05-06 03:56 . 2010-02-23 07:20 97549 ----a-w- e:\windows\system32\drivers\klick.dat
2010-05-04 03:58 . 2010-02-25 02:25 -------- d-----w- e:\program files\Java
2010-04-29 05:05 . 2010-04-03 05:37 -------- d-----w- e:\program files\Google
2010-04-26 06:27 . 2010-02-25 01:20 -------- d-----w- e:\documents and settings\home\Application Data\U3
2010-04-25 04:09 . 2010-02-23 07:01 31584 ----a-w- e:\documents and settings\home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 05:44 . 2010-02-23 06:57 -------- d-----w- e:\documents and settings\All Users\Application Data\HP
2010-04-21 04:34 . 2010-03-07 07:05 -------- d-----w- e:\documents and settings\home\Application Data\FileZilla
2010-04-19 04:51 . 2010-03-07 07:04 -------- d-----w- e:\program files\FileZilla FTP Client
2010-04-16 15:33 . 2010-03-09 05:03 41472 ----a-w- e:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2010-03-09 05:03 3003680 ----a-w- e:\windows\system32\usbaaplrc.dll
2010-04-11 19:47 . 2010-04-11 19:47 -------- d-----w- e:\program files\Microsoft Silverlight
2010-04-09 04:28 . 2010-04-09 04:28 -------- d-----w- e:\documents and settings\home\Application Data\Intuit
2010-04-09 04:28 . 2010-04-09 04:27 -------- d-----w- e:\program files\Common Files\AnswerWorks 5.0
2010-04-09 04:27 . 2010-04-09 04:24 -------- d-----w- e:\program files\Common Files\Intuit
2010-04-09 04:24 . 2010-04-09 03:45 -------- d-----w- e:\documents and settings\All Users\Application Data\Intuit
2010-04-09 04:23 . 2010-04-09 04:23 -------- d-----w- e:\program files\TurboTax
2010-04-09 03:54 . 2010-04-09 03:54 -------- d-----w- e:\program files\MSBuild
2010-04-09 03:54 . 2010-04-09 03:54 -------- d-----w- e:\program files\Reference Assemblies
2010-04-09 01:59 . 2010-02-23 06:17 -------- d-----w- e:\program files\HP
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- e:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- e:\windows\system32\dns-sd.exe
2010-03-31 03:36 . 2010-03-31 03:36 -------- d-----w- e:\program files\Common Files\Java
2010-03-31 03:34 . 2010-03-31 03:34 503808 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2be91dac-n\msvcp71.dll
2010-03-31 03:34 . 2010-03-31 03:34 499712 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2be91dac-n\jmc.dll
2010-03-31 03:34 . 2010-03-31 03:34 61440 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b1e98b3-n\decora-sse.dll
2010-03-31 03:34 . 2010-03-31 03:34 348160 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2be91dac-n\msvcr71.dll
2010-03-31 03:34 . 2010-03-31 03:34 12800 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b1e98b3-n\decora-d3d.dll
2010-03-26 04:41 . 2010-03-26 04:41 -------- d-----w- e:\program files\Opera
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- e:\windows\system32\GPhotos.scr
2010-03-18 05:37 . 2010-03-18 05:35 23109 ----a-w- e:\windows\hpqins15.dat
2010-03-14 07:20 . 2010-03-14 07:20 0 -c--a-w- e:\windows\nsreg.dat
2010-03-10 06:15 . 2006-02-28 11:00 420352 ----a-w- e:\windows\system32\vbscript.dll
2010-03-08 04:45 . 2010-03-08 04:45 86016 ----a-w- e:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-04 12:00 . 2010-03-04 12:00 79144 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-27 19:04 . 2010-02-27 19:04 152576 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-27 19:04 . 2010-02-27 19:04 79488 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-26 06:06 . 2010-02-26 06:06 552 ----a-w- e:\windows\system32\d3d8caps.dat
2010-02-25 06:24 . 2006-02-28 11:00 916480 ----a-w- e:\windows\system32\wininet.dll
2010-02-25 02:24 . 2010-02-25 02:24 152576 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-24 13:11 . 2006-02-28 11:00 455680 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2010-02-24 04:18 . 2010-02-22 05:28 86327 ----a-w- e:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 07:26 . 2010-02-23 07:26 932368 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-02-23 07:26 . 2010-02-23 07:26 678416 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-02-23 07:26 . 2010-02-23 07:26 604688 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-02-23 07:26 . 2010-02-23 07:26 522768 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-02-23 07:26 . 2010-02-23 07:26 1096208 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-02-23 07:26 . 2010-02-23 07:26 80400 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-23 07:26 . 2010-02-23 07:26 80400 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-23 07:02 . 2010-02-23 06:50 155124 ----a-w- e:\windows\hpoins35.dat
2010-02-23 06:17 . 2010-02-23 06:17 10134 ----a-r- e:\documents and settings\home\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2010-02-23 04:47 . 2010-02-23 04:47 15781 ----a-w- e:\windows\system32\drivers\mdc8021x.sys
2010-02-22 05:25 . 2010-02-22 05:25 21640 ----a-w- e:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02051D5E-7AF9-43C0-971E-3FCFFA9B5B1d}]
2010-05-18 06:50 284672 ----a-w- e:\windows\system32\ftsrch32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="e:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-03-29 2343120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="e:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"hpqSRMon"="e:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"AVP"="e:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"itype"="e:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="e:\documents and settings\home\Application Data\SystemProc\lsass.exe" [2010-05-18 115712]

e:\documents and settings\home\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - e:\program files\LimeWire\LimeWire.exe [2010-3-16 503808]
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\50060e04916]
2010-05-16 22:11 185856 ----a-w- e:\windows\system32\eapp3hst32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"e:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"e:\\Program Files\\Opera\\opera.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\WINDOWS\\explorer.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;e:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 cpuz133;cpuz133;e:\windows\system32\drivers\cpuz133_x32.sys [5/1/2010 11:24 PM 20968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;e:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;e:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [4/28/2010 10:04 PM 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-05-18 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 05:04]

2010-05-18 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 05:04]

2010-05-18 e:\windows\Tasks\OGALogon.job
- e:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - e:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\
FF - prefs.js: browser.startup.homepage - hxxp://bing.zugo.com/?cfg=2-76-0-Wfii
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: e:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: e:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: e:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 23:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = e:\documents and settings\home\Application Data\SystemProc\lsass.exe????????????????????????????????????????????????????????????

scanning hidden files ...


e:\windows\system32\ftsrch32.dll 284672 bytes executable
e:\windows\system32\unrar.exe 203776 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
e:\windows\system32\eapp3hst32.dll

- - - - - - - > 'explorer.exe'(3688)
e:\windows\system32\WININET.dll
e:\windows\system32\eapp3hst32.dll
e:\windows\system32\7E.tmp
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\program files\WinSCP\DragExt.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Analog Devices\SoundMAX\SMAgent.exe
e:\program files\iPod\bin\iPodService.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-17 23:53:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-18 06:53

Pre-Run: 300,040,310,784 bytes free
Post-Run: 299,966,586,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
e:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 489E54CCE0624D55836F29068B437702


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 AM

Posted 21 May 2010 - 04:41 AM

Hello ussrsnpr

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

I would recommend going to Add/Remove Programs and uninstalling LimeWire now. If you wish to keep these programs, it is imperative that you do not use them until I have declared you clean.

***************************************************

1. Open notepad and copy/paste the text in the codebox below into it. Please ensure that Word Wrap is not enabled in notepad. (Under the Format menu, Word Wrap should be unchecked):

CODE
http://www.bleepingcomputer.com/forums/t/317918/b5tmp-and-others/

Suspect::
e:\windows\system32\ftsrch32.dll
e:\windows\system32\unrar.exe
e:\documents and settings\home\Application Data\SystemProc\lsass.exe
e:\windows\system32\eapp3hst32.dll


Registry::
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"RTHDBPL"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into renamed.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 21 May 2010 - 11:14 PM

Good evening, Blade, I ran CF as you asked and have now uploaded the log. I saved it so if it is too large for uploading let me know and I'll just post it. Thanks

ComboFix 10-05-21.04 - home 05/21/2010 18:35:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1527.845 [GMT -7:00]
Running from: e:\documents and settings\home\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\home\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

file zipped: e:\windows\system32\ftsrch32.dll
file zipped: e:\windows\system32\unrar.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\docume~1\home\LOCALS~1\Temp\jna6505391830610092543.dll
e:\documents and settings\home\Application Data\02000000f2e2ff70916C.manifest
e:\documents and settings\home\Application Data\02000000f2e2ff70916O.manifest
e:\documents and settings\home\Application Data\02000000f2e2ff70916P.manifest
e:\documents and settings\home\Application Data\02000000f2e2ff70916S.manifest
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{37513145-e831-4b73-9b61-bd948e8f16a7}
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{37513145-e831-4b73-9b61-bd948e8f16a7}\chrome.manifest
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{37513145-e831-4b73-9b61-bd948e8f16a7}\chrome\xulcache.jar
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{37513145-e831-4b73-9b61-bd948e8f16a7}\defaults\preferences\xulcache.js
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{37513145-e831-4b73-9b61-bd948e8f16a7}\install.rdf
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{514fa60a-4365-4dec-bf08-012c3b2397d1}
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{514fa60a-4365-4dec-bf08-012c3b2397d1}\chrome.manifest
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{514fa60a-4365-4dec-bf08-012c3b2397d1}\chrome\xulcache.jar
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{514fa60a-4365-4dec-bf08-012c3b2397d1}\defaults\preferences\xulcache.js
e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\extensions\{514fa60a-4365-4dec-bf08-012c3b2397d1}\install.rdf
e:\documents and settings\home\Application Data\SystemProc
e:\documents and settings\home\Application Data\SystemProc\upd.exe
e:\documents and settings\home\Local Settings\Temp\jna6505391830610092543.dll
e:\windows\system32\1647602019
e:\windows\system32\unrar.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 04:35 . 2010-05-21 04:35 -------- d-----w- e:\program files\Windows Defender
2010-05-20 04:46 . 2010-05-20 04:56 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-20 04:46 . 2010-05-20 04:52 -------- d-----w- e:\program files\Spybot - Search & Destroy
2010-05-18 06:50 . 2010-05-18 06:50 284672 ----a-w- e:\windows\system32\ftsrch32.dll
2010-05-18 05:58 . 2010-05-22 01:13 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2010-05-18 05:58 . 2010-05-19 05:00 -------- d-----w- e:\program files\SpywareBlaster
2010-05-18 04:47 . 2010-05-18 04:51 -------- d-----w- e:\windows\SxsCaPendDel
2010-05-18 04:32 . 2010-05-18 04:32 95024 ----a-w- e:\windows\system32\drivers\SBREDrv.sys
2010-05-18 04:26 . 2010-05-18 05:56 -------- d-----w- e:\documents and settings\All Users\Application Data\Lavasoft
2010-05-16 22:14 . 2010-05-16 22:14 185856 ----a-w- e:\windows\system32\cdfview32.dll
2010-05-08 00:40 . 2010-05-08 00:40 -------- d-----w- e:\program files\iPod
2010-05-08 00:40 . 2010-05-08 00:41 -------- d-----w- e:\program files\iTunes
2010-05-08 00:40 . 2010-05-08 00:41 -------- d-----w- e:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-08 00:33 . 2010-05-08 00:34 -------- d-----w- e:\program files\QuickTime
2010-05-08 00:28 . 2010-05-08 00:28 -------- d-----w- e:\program files\Bonjour
2010-05-08 00:23 . 2010-05-08 00:23 73000 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-04 03:58 . 2010-04-13 00:29 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-05-03 05:25 . 2010-05-03 05:25 -------- d-----w- e:\documents and settings\All Users\Application Data\IObit
2010-05-02 16:48 . 2010-05-19 05:02 -------- d-----w- e:\documents and settings\home\Application Data\IObit
2010-05-02 16:48 . 2010-05-02 16:48 -------- d-----w- e:\program files\IObit
2010-05-02 16:42 . 2010-05-02 16:42 -------- d-----w- e:\program files\FLV Player
2010-05-02 06:24 . 2010-03-31 06:38 20968 ----a-w- e:\windows\system32\drivers\cpuz133_x32.sys
2010-05-02 06:24 . 2010-05-02 06:24 -------- d-----w- e:\program files\CPUID
2010-04-29 05:09 . 2010-04-29 05:09 -------- d-----w- e:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-29 05:04 . 2010-04-29 05:04 -------- d-----w- e:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-23 05:41 . 2010-04-23 05:41 -------- d-----w- e:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-23 05:36 . 2010-04-23 05:48 77373 ----a-w- e:\windows\hpqins05.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 01:45 . 2010-02-25 02:27 664 ----a-w- e:\windows\system32\d3d9caps.dat
2010-05-22 01:45 . 2010-02-25 02:27 -------- d-----w- e:\documents and settings\home\Application Data\LimeWire
2010-05-22 01:44 . 2010-02-23 07:19 -------- d-----w- e:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-05-22 01:28 . 2010-02-23 07:27 -------- d-----w- e:\documents and settings\home\Application Data\HPAppData
2010-05-21 05:16 . 2010-04-03 05:37 -------- d-----w- e:\program files\Google
2010-05-20 03:26 . 2010-04-21 05:39 30256 ---ha-w- e:\windows\system32\mlfcache.dat
2010-05-18 06:50 . 2010-05-18 06:50 1075712 --sha-w- e:\windows\system32\7E.tmp
2010-05-16 22:20 . 2010-05-16 22:20 1075712 --sha-w- e:\windows\system32\7D.tmp
2010-05-16 08:04 . 2010-04-10 07:27 892072 ----a-w- e:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-15 05:11 . 2010-04-09 01:58 -------- d-----w- e:\documents and settings\home\Application Data\HpUpdate
2010-05-13 07:21 . 2010-02-24 01:36 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-08 00:40 . 2010-03-09 05:02 -------- d-----w- e:\program files\Common Files\Apple
2010-05-06 03:56 . 2010-02-23 07:20 113933 ----a-w- e:\windows\system32\drivers\klin.dat
2010-05-06 03:56 . 2010-02-23 07:20 97549 ----a-w- e:\windows\system32\drivers\klick.dat
2010-05-04 03:58 . 2010-02-25 02:25 -------- d-----w- e:\program files\Java
2010-04-26 06:27 . 2010-02-25 01:20 -------- d-----w- e:\documents and settings\home\Application Data\U3
2010-04-25 04:09 . 2010-02-23 07:01 31584 ----a-w- e:\documents and settings\home\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-23 05:44 . 2010-02-23 06:57 -------- d-----w- e:\documents and settings\All Users\Application Data\HP
2010-04-21 07:11 . 2010-04-21 07:11 -------- d-----w- e:\program files\NetObjects
2010-04-21 04:34 . 2010-03-07 07:05 -------- d-----w- e:\documents and settings\home\Application Data\FileZilla
2010-04-19 04:51 . 2010-03-07 07:04 -------- d-----w- e:\program files\FileZilla FTP Client
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- e:\program files\WinSCP
2010-04-19 04:25 . 2010-04-19 04:25 -------- d-----w- e:\program files\Free Offers from Freeze.com
2010-04-16 15:33 . 2010-03-09 05:03 41472 ----a-w- e:\windows\system32\drivers\usbaapl.sys
2010-04-16 15:33 . 2010-03-09 05:03 3003680 ----a-w- e:\windows\system32\usbaaplrc.dll
2010-04-11 19:47 . 2010-04-11 19:47 -------- d-----w- e:\program files\Microsoft Silverlight
2010-04-09 04:28 . 2010-04-09 04:28 -------- d-----w- e:\documents and settings\home\Application Data\Intuit
2010-04-09 04:28 . 2010-04-09 04:27 -------- d-----w- e:\program files\Common Files\AnswerWorks 5.0
2010-04-09 04:27 . 2010-04-09 04:24 -------- d-----w- e:\program files\Common Files\Intuit
2010-04-09 04:24 . 2010-04-09 03:45 -------- d-----w- e:\documents and settings\All Users\Application Data\Intuit
2010-04-09 04:23 . 2010-04-09 04:23 -------- d-----w- e:\program files\TurboTax
2010-04-09 03:54 . 2010-04-09 03:54 -------- d-----w- e:\program files\MSBuild
2010-04-09 03:54 . 2010-04-09 03:54 -------- d-----w- e:\program files\Reference Assemblies
2010-04-09 01:59 . 2010-02-23 06:17 -------- d-----w- e:\program files\HP
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- e:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- e:\windows\system32\dns-sd.exe
2010-03-31 03:36 . 2010-03-31 03:36 -------- d-----w- e:\program files\Common Files\Java
2010-03-31 03:34 . 2010-03-31 03:34 503808 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2be91dac-n\msvcp71.dll
2010-03-31 03:34 . 2010-03-31 03:34 499712 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2be91dac-n\jmc.dll
2010-03-31 03:34 . 2010-03-31 03:34 61440 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b1e98b3-n\decora-sse.dll
2010-03-31 03:34 . 2010-03-31 03:34 348160 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2be91dac-n\msvcr71.dll
2010-03-31 03:34 . 2010-03-31 03:34 12800 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1b1e98b3-n\decora-d3d.dll
2010-03-26 04:41 . 2010-03-26 04:41 -------- d-----w- e:\program files\Opera
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- e:\windows\system32\GPhotos.scr
2010-03-18 05:37 . 2010-03-18 05:35 23109 ----a-w- e:\windows\hpqins15.dat
2010-03-14 07:20 . 2010-03-14 07:20 0 -c--a-w- e:\windows\nsreg.dat
2010-03-10 06:15 . 2006-02-28 11:00 420352 ----a-w- e:\windows\system32\vbscript.dll
2010-03-08 04:45 . 2010-03-08 04:45 86016 ----a-w- e:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-04 12:00 . 2010-03-04 12:00 79144 ----a-w- e:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-27 19:04 . 2010-02-27 19:04 152576 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-27 19:04 . 2010-02-27 19:04 79488 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-26 06:06 . 2010-02-26 06:06 552 ----a-w- e:\windows\system32\d3d8caps.dat
2010-02-25 06:24 . 2006-02-28 11:00 916480 ----a-w- e:\windows\system32\wininet.dll
2010-02-25 02:24 . 2010-02-25 02:24 152576 ----a-w- e:\documents and settings\home\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2010-02-24 13:11 . 2006-02-28 11:00 455680 ----a-w- e:\windows\system32\drivers\mrxsmb.sys
2010-02-24 04:18 . 2010-02-22 05:28 86327 ----a-w- e:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-23 07:26 . 2010-02-23 07:26 932368 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-02-23 07:26 . 2010-02-23 07:26 678416 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-02-23 07:26 . 2010-02-23 07:26 604688 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-02-23 07:26 . 2010-02-23 07:26 522768 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-02-23 07:26 . 2010-02-23 07:26 1096208 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-02-23 07:26 . 2010-02-23 07:26 80400 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-23 07:26 . 2010-02-23 07:26 80400 ----a-w- e:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-02-23 07:02 . 2010-02-23 06:50 155124 ----a-w- e:\windows\hpoins35.dat
2010-02-23 06:17 . 2010-02-23 06:17 10134 ----a-r- e:\documents and settings\home\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2010-02-23 04:47 . 2010-02-23 04:47 15781 ----a-w- e:\windows\system32\drivers\mdc8021x.sys
2010-02-22 05:25 . 2010-02-22 05:25 21640 ----a-w- e:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-05-18_06.50.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-22 01:44 . 2010-05-22 01:44 16384 e:\windows\Temp\Perflib_Perfdata_2dc.dat
+ 2006-02-28 11:00 . 2010-05-22 01:25 67312 e:\windows\system32\perfc009.dat
- 2006-02-28 11:00 . 2010-05-18 06:42 67312 e:\windows\system32\perfc009.dat
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-05-21 05:19 . 2010-05-21 05:19 25214 e:\windows\Installer\{F7B0939E-58DF-11DF-B3A6-005056806466}\ARPPRODUCTICON.exe
- 2006-02-28 11:00 . 2010-05-18 06:42 432356 e:\windows\system32\perfh009.dat
+ 2006-02-28 11:00 . 2010-05-22 01:25 432356 e:\windows\system32\perfh009.dat
+ 2010-05-21 04:35 . 2010-05-21 04:35 1155072 e:\windows\Installer\f7d831.msi
+ 2010-05-21 05:19 . 2010-05-21 05:19 1235968 e:\windows\Installer\11851a5.msi
- 2010-02-23 07:54 . 2010-04-30 18:51 32058312 e:\windows\system32\MRT.exe
+ 2010-02-23 07:54 . 2010-04-30 18:51 32058312 e:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02051D5E-7AF9-43C0-971E-3FCFFA9B5B1d}]
2010-05-18 06:50 284672 ----a-w- e:\windows\system32\ftsrch32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="e:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-03-29 2343120]
"SpybotSD TeaTimer"="e:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="e:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
"hpqSRMon"="e:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"AVP"="e:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"itype"="e:\program files\Microsoft IntelliType Pro\itype.exe" [2009-05-21 1501064]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"HP Software Update"="e:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Windows Defender"="e:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

e:\documents and settings\home\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - e:\program files\LimeWire\LimeWire.exe [2010-3-16 503808]
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"e:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"e:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"e:\\Program Files\\Opera\\opera.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;e:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R2 cpuz133;cpuz133;e:\windows\system32\drivers\cpuz133_x32.sys [5/1/2010 11:24 PM 20968]
R2 WinDefend;Windows Defender;e:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;e:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;e:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [4/28/2010 10:04 PM 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-05-22 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 05:04]

2010-05-22 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-04-29 05:04]

2010-05-22 e:\windows\Tasks\MP Scheduled Scan.job
- e:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-05-22 e:\windows\Tasks\OGALogon.job
- e:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - e:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - e:\documents and settings\home\Application Data\Mozilla\Firefox\Profiles\ebbmrelf.default\
FF - prefs.js: browser.startup.homepage - hxxp://bing.zugo.com/?cfg=2-76-0-Wfii
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: e:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: e:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: e:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: e:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-RTHDBPL - e:\documents and settings\home\Application Data\SystemProc\lsass.exe
Notify-50060e04916 - e:\windows\system32\eapp3hst32.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 18:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = e:\documents and settings\home\Application Data\SystemProc\lsass.exe??????????????r?????????????????????????????????????????????

scanning hidden files ...


e:\windows\TEMP\TMP00000005089C749F13BE8B86 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3112)
e:\windows\system32\WININET.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\program files\WinSCP\DragExt.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\program files\Analog Devices\SoundMAX\SMAgent.exe
e:\windows\system32\wscntfy.exe
e:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-21 18:49:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 01:49
ComboFix2.txt 2010-05-18 06:53

Pre-Run: 299,299,926,016 bytes free
Post-Run: 299,416,641,536 bytes free

- - End Of File - - 2FA03DD19FD19FA82029038882BBA4A1

Attached Files


Edited by Blade Zephon, 23 May 2010 - 09:58 PM.
Posted log in reply to facilitate analysis. Please do not attach logs unless the board software will not let you post them directly. Thanks!


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 AM

Posted 23 May 2010 - 10:13 PM

Hello.

Still seeing some things I don't like. Let's check them out now.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link--> Virustotal

When the VirusTotal page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

e:\windows\system32\ftsrch32.dll
e:\windows\system32\unrar.exe
e:\documents and settings\home\Application Data\SystemProc\lsass.exe
e:\windows\system32\eapp3hst32.dll


Please post back the URL of the results page for each file in your next post.

If VirusTotal is busy, try the same at Jotti

~Blade


In your next reply, please include the following:
VirusTotal URLs (4)

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 24 May 2010 - 03:07 AM

Blade, here are the urls for ftsrch32 and eapp3hst I have no clue where to find the other two you asked for, I looked everywhere I could think of.?








http://www.virustotal.com/analisis/0a4060b...1310-1274610056




http://www.virustotal.com/analisis/d70b70f...901a-1273999299

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:45 AM

Posted 25 May 2010 - 05:18 PM

Hi ussrsnpr.

Please run the following scan for me.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
GMER log

Edited by Blade Zephon, 25 May 2010 - 05:19 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 ussrsnpr

ussrsnpr
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:45 AM

Posted 27 May 2010 - 02:45 PM

Ok, I have downloaded and ran GMER attatched is the log. ussrsnpr

Attached Files

  • Attached File  GMER.log   13.17KB   5 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users