Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit Round 2


  • This topic is locked This topic is locked
18 replies to this topic

#1 ABCB

ABCB

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 18 June 2011 - 08:34 AM

Link to First computer http://www.bleepingcomputer.com/forums/topic402797.html

DDS.txt

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 8:25:19 on 2011-06-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3314.2619 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
BHO: {0AB7AC0D-4313-4DBE-96C0-4EBF91B9DD66} - No File
BHO: {11DCD0B9-7AE6-4DC1-93B8-E057FD85EA6a} - No File
BHO: {156F581B-4313-4DBE-96C0-4EBF91B9DD66} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6C198697-95BE-1D9B-4767-23C9B8F31E37} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} - hxxp://192.168.0.95/pcsweb/activex/OBXViewer.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237228237082
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237228226444
DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} - hxxp://192.168.0.95/pcsweb/activex/OBXSelect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.51/TSWeb.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{771C0701-D5B7-4225-B2FB-348C1AC28DB1} : NameServer = 192.168.1.5
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 192.168.0.1 Vision
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-4 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2010-8-4 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2010-8-4 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-6 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\NAVENG.SYS [2010-11-28 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101128.002\NAVEX15.SYS [2010-11-28 1371184]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ecarey~1.the\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\ecarey~1.the\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ecarey~1.the\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\ecarey~1.the\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-5 133104]
S3 BlackBox;BlackBox SR2; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2010-8-4 23888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-5 133104]
.
=============== Created Last 30 ================
.
2011-06-16 16:04:26 -------- d-----w- C:\ComboFix
2011-06-16 15:38:07 -------- d-----w- C:\Support
2011-06-16 12:40:00 -------- d-----w- c:\documents and settings\administrator.Removed\application data\SPE
2011-06-09 14:51:55 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-06-06 20:37:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-06 20:37:42 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-06 20:06:00 -------- d-----w- C:\TEMP4
2011-06-06 19:00:52 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-06-06 19:00:49 -------- d-----w- c:\documents and settings\administrator.Removed\local settings\application data\NPE
2011-06-06 18:44:50 6141880 ----a-w- C:\NPE.exe
2011-06-06 18:39:09 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-06 17:51:50 388096 ----a-r- c:\documents and settings\administrator.Removed\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-06 17:51:49 -------- d-----w- c:\program files\Trend Micro
2011-05-23 22:57:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
.
============= FINISH: 8:26:18.21 ===============


Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/25/2008 7:38:27 AM
System Uptime: 6/18/2011 8:10:10 AM (0 hours ago)
.
Motherboard: Intel Corporation | | DG33BU
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | J1PR | 2400/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 44.164 GiB free.
D: is CDROM ()
F: is NetworkDisk (NTFS) - 1364 GiB total, 1340.143 GiB free.
O: is NetworkDisk (NTFS) - 1364 GiB total, 1340.143 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP774: 3/20/2011 8:28:48 PM - System Checkpoint
RP775: 3/21/2011 9:16:50 PM - System Checkpoint
RP776: 3/22/2011 9:16:55 PM - System Checkpoint
RP777: 3/23/2011 9:16:58 PM - System Checkpoint
RP778: 3/24/2011 10:17:01 PM - System Checkpoint
RP779: 3/25/2011 7:51:57 AM - Installed Director Workstation Prerequisites - PDS1250.
RP780: 3/25/2011 7:52:25 AM - Installed Web Director Workstation Components - PDS1251.
RP781: 3/26/2011 8:17:06 AM - System Checkpoint
RP782: 3/27/2011 9:17:09 AM - System Checkpoint
RP783: 3/28/2011 11:35:22 AM - System Checkpoint
RP784: 3/29/2011 1:49:52 PM - System Checkpoint
RP785: 3/30/2011 1:57:59 PM - System Checkpoint
RP786: 3/31/2011 3:05:58 PM - System Checkpoint
RP787: 4/1/2011 2:42:05 PM - Installed DS487
RP788: 4/1/2011 2:42:47 PM - Installed AmbirScan 2.0
RP789: 4/2/2011 2:58:09 PM - System Checkpoint
RP790: 4/3/2011 3:56:03 PM - System Checkpoint
RP791: 4/4/2011 4:51:52 PM - System Checkpoint
RP792: 4/5/2011 5:00:39 PM - System Checkpoint
RP793: 4/6/2011 5:56:07 PM - System Checkpoint
RP794: 4/7/2011 5:57:13 PM - System Checkpoint
RP795: 4/8/2011 6:56:15 PM - System Checkpoint
RP796: 4/9/2011 7:56:15 PM - System Checkpoint
RP797: 4/10/2011 8:56:16 PM - System Checkpoint
RP798: 4/11/2011 9:21:14 PM - System Checkpoint
RP799: 4/12/2011 10:21:15 PM - System Checkpoint
RP800: 4/13/2011 11:21:15 PM - System Checkpoint
RP801: 4/15/2011 12:21:18 AM - System Checkpoint
RP802: 4/16/2011 1:21:20 AM - System Checkpoint
RP803: 4/17/2011 2:21:22 AM - System Checkpoint
RP804: 4/18/2011 3:21:25 AM - System Checkpoint
RP805: 4/19/2011 4:21:27 AM - System Checkpoint
RP806: 4/20/2011 5:21:29 AM - System Checkpoint
RP807: 4/21/2011 6:21:18 AM - System Checkpoint
RP808: 4/22/2011 7:20:32 AM - System Checkpoint
RP809: 4/23/2011 7:38:47 AM - System Checkpoint
RP810: 4/24/2011 8:38:48 AM - System Checkpoint
RP811: 4/25/2011 11:17:59 AM - System Checkpoint
RP812: 4/26/2011 1:23:18 PM - System Checkpoint
RP813: 4/27/2011 1:38:58 PM - System Checkpoint
RP814: 4/28/2011 2:40:05 PM - System Checkpoint
RP815: 4/29/2011 3:13:46 PM - System Checkpoint
RP816: 4/30/2011 3:39:09 PM - System Checkpoint
RP817: 5/1/2011 4:39:11 PM - System Checkpoint
RP818: 5/2/2011 4:40:37 PM - System Checkpoint
RP819: 5/3/2011 5:23:29 PM - System Checkpoint
RP820: 5/4/2011 5:39:21 PM - System Checkpoint
RP821: 5/5/2011 5:40:22 PM - System Checkpoint
RP822: 5/6/2011 6:13:21 PM - System Checkpoint
RP823: 5/7/2011 6:40:28 PM - System Checkpoint
RP824: 5/8/2011 6:40:33 PM - System Checkpoint
RP825: 5/9/2011 6:40:36 PM - System Checkpoint
RP826: 5/10/2011 7:40:38 PM - System Checkpoint
RP827: 5/11/2011 7:40:43 PM - System Checkpoint
RP828: 5/12/2011 7:40:47 PM - System Checkpoint
RP829: 5/13/2011 8:40:49 PM - System Checkpoint
RP830: 5/14/2011 8:40:54 PM - System Checkpoint
RP831: 5/15/2011 8:40:57 PM - System Checkpoint
RP832: 5/16/2011 9:41:01 PM - System Checkpoint
RP833: 5/17/2011 9:41:04 PM - System Checkpoint
RP834: 5/18/2011 9:41:08 PM - System Checkpoint
RP835: 5/19/2011 10:41:12 PM - System Checkpoint
RP836: 5/20/2011 11:41:15 PM - System Checkpoint
RP837: 5/21/2011 11:41:19 PM - System Checkpoint
RP838: 5/22/2011 11:41:22 PM - System Checkpoint
RP839: 5/24/2011 12:01:36 AM - System Checkpoint
RP840: 5/25/2011 1:01:39 AM - System Checkpoint
RP841: 5/26/2011 1:17:41 AM - System Checkpoint
RP842: 5/27/2011 2:17:44 AM - System Checkpoint
RP843: 5/28/2011 2:17:48 AM - System Checkpoint
RP844: 5/29/2011 2:23:15 AM - System Checkpoint
RP845: 5/30/2011 3:23:18 AM - System Checkpoint
RP846: 5/31/2011 3:23:22 AM - System Checkpoint
RP847: 6/1/2011 3:23:25 AM - System Checkpoint
RP848: 6/2/2011 3:24:10 AM - System Checkpoint
RP849: 6/3/2011 4:24:12 AM - System Checkpoint
RP850: 6/4/2011 4:24:16 AM - System Checkpoint
RP851: 6/5/2011 5:24:19 AM - System Checkpoint
RP852: 6/6/2011 5:24:23 AM - System Checkpoint
RP853: 6/6/2011 12:51:48 PM - Installed HiJackThis
RP854: 6/6/2011 2:22:16 PM - Restore Operation
RP855: 6/6/2011 2:25:40 PM - Restore Operation
RP856: 6/6/2011 2:28:42 PM - Restore Operation
RP857: 6/7/2011 3:03:44 PM - System Checkpoint
RP858: 6/8/2011 4:22:46 PM - System Checkpoint
RP859: 6/9/2011 5:04:29 PM - System Checkpoint
RP860: 6/10/2011 6:14:57 PM - System Checkpoint
RP861: 6/11/2011 7:03:58 PM - System Checkpoint
RP862: 6/12/2011 7:04:01 PM - System Checkpoint
RP863: 6/14/2011 3:44:57 AM - System Checkpoint
RP864: 6/15/2011 9:11:29 AM - System Checkpoint
RP865: 6/16/2011 11:00:20 AM - Installed WinZip 15.5
RP866: 6/17/2011 11:03:08 AM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
AmbirScan 2.0
BackupSearch
Business Contact Manager for Outlook 2007 SP2
CorePLS_Full_QFolder
CorePLS_Min_QFolder
CustomerResearchQFolder
Deluxe Interface .NET Components
Director Workstation Prerequisites - PDS1250
DS487
Google Earth
Google Update Helper
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Care Pack Core
HP Care Pack Products
HP Extended Capabilities 6.0
HP LaserJet P2015 Series 1.0
HP Software Update
hppFonts
hppIOFiles
hppLJP2015
hppManualsP2015
hppMSRedist
hppTLBXFXP2015
hppusgP2015
hppWebRegMM
hpzTLBXFX
Integrated Teller 10.2.1
Integrated Teller Service Pack 5
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Java Auto Updater
Java™ 6 Update 22
LightScribe System Software 1.12.33.2
LiveUpdate 3.3 (Symantec Corporation)
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Meeting 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Nero 8 Essentials
neroxml
ODBC101C - ODBC10.1C Drivers
OGA Notifier 2.0.0048.0
Precision Graphical 10.2.1
Precision Service Pack 5
Product_SF_Full_QFolder
Product_SF_Min_QFolder
Progress OpenEdge 10.2B02
Progress Service Pack 5
Realtek High Definition Audio Driver
Register ActiveX 7.2
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Spybot - Search & Destroy
Symantec Endpoint Protection
TeamViewer 4
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
Verify 10.2.1
Verify Service Pack 5
Web Director Workstation Components - PDS1251
WebFldrs XP
WebIQ Technology Engine
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Search 4.0
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
6/16/2011 7:28:46 AM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
6/16/2011 6:19:02 AM, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
6/16/2011 5:18:54 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 2 time(s).
6/16/2011 4:19:00 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 1 time(s).
6/16/2011 3:18:54 AM, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 2 time(s).
6/16/2011 2:19:01 AM, error: Service Control Manager [7034] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s).
6/16/2011 12:18:55 AM, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 2 time(s).
6/16/2011 10:55:16 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000015, parameter2 00000002, parameter3 00000000, parameter4 8053d9d4.
6/16/2011 10:51:03 AM, error: Service Control Manager [7031] - The Symantec Management Client service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
6/16/2011 10:50:54 AM, error: Service Control Manager [7031] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
6/16/2011 10:50:54 AM, error: Service Control Manager [7031] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.
6/16/2011 10:50:28 AM, error: Service Control Manager [7031] - The Symantec Management Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
6/16/2011 10:35:41 AM, error: Service Control Manager [7000] - The DEEPMON service failed to start due to the following error: The system cannot find the path specified.
6/16/2011 1:19:01 AM, error: Service Control Manager [7034] - The Business Contact Manager SQL Server Startup Service service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 9:18:59 PM, error: Service Control Manager [7034] - The Automatic Updates service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 8:19:00 PM, error: Service Control Manager [7034] - The IPSEC Services service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 7:18:54 PM, error: Service Control Manager [7034] - The Business Contact Manager SQL Server Startup Service service terminated unexpectedly. It has done this 2 time(s).
6/15/2011 6:18:59 PM, error: Service Control Manager [7034] - The Business Contact Manager SQL Server Startup Service service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 5:19:01 PM, error: Service Control Manager [7034] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 3:15:31 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
6/15/2011 3:00:32 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000015, parameter2 00000002, parameter3 00000000, parameter4 805198e5.
6/15/2011 2:57:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SASDIFSV SASKUTIL SPBBCDrv SRTSP SRTSPX SYMTDI
6/15/2011 2:56:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/15/2011 11:19:00 PM, error: Service Control Manager [7034] - The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).
6/15/2011 1:05:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
6/13/2011 9:02:49 AM, error: Service Control Manager [7034] - The Remote Procedure Call (RPC) Locator service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 8:02:30 AM, error: Service Control Manager [7034] - The Extensible Authentication Protocol Service service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 7:02:30 AM, error: Service Control Manager [7034] - The Symantec Endpoint Protection service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 6:02:23 AM, error: Service Control Manager [7034] - The Uninterruptible Power Supply service terminated unexpectedly. It has done this 2 time(s).
6/13/2011 5:02:29 AM, error: Service Control Manager [7034] - The Uninterruptible Power Supply service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 4:02:26 AM, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 2 time(s).
6/13/2011 3:02:29 AM, error: Service Control Manager [7034] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 2:15:56 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 2 time(s).
6/13/2011 2:02:29 AM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 2:02:10 PM, error: Service Control Manager [7034] - The Error Reporting Service service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 12:02:29 AM, error: Service Control Manager [7034] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s).
6/13/2011 1:02:29 AM, error: Service Control Manager [7034] - The Distributed Link Tracking Client service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 9:02:31 PM, error: Service Control Manager [7034] - The Health Key and Certificate Management Service service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 8:02:28 PM, error: Service Control Manager [7034] - The ClipBook service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 7:02:28 PM, error: Service Control Manager [7034] - The Application Management service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 6:02:27 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 5:03:18 PM, error: Service Control Manager [7034] - The Network DDE DSDM service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 11:02:28 PM, error: Service Control Manager [7034] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s).
6/12/2011 10:02:28 PM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================


I will also post the GMER log when it completes.

GMER Log

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-18 11:42:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10 ST380815AS rev.4.AAB
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.THE\LOCALS~1\Temp\pgtyypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8A585948 ZwAlertResumeThread
SSDT 8A691828 ZwAlertThread
SSDT 8A4C55A0 ZwAllocateVirtualMemory
SSDT 89926378 ZwConnectPort
SSDT 8A546F38 ZwCreateMutant
SSDT 894F00B0 ZwCreateThread
SSDT 8A53A9A0 ZwFreeVirtualMemory
SSDT 8A549EA8 ZwImpersonateAnonymousToken
SSDT 8A549F68 ZwImpersonateThread
SSDT 8A53BDB0 ZwMapViewOfSection
SSDT 8A53EF88 ZwOpenEvent
SSDT 8A6426D0 ZwOpenProcessToken
SSDT 8A53B568 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xBA23D6B0]
SSDT 8A412378 ZwResumeThread
SSDT 8A5006A8 ZwSetContextThread
SSDT 8A68E528 ZwSetInformationProcess
SSDT 8A4B78C8 ZwSetInformationThread
SSDT 8910E748 ZwSuspendProcess
SSDT 8A5268D8 ZwSuspendThread
SSDT 8A4F9BF0 ZwTerminateProcess
SSDT 8A4B7808 ZwTerminateThread
SSDT 8A53A920 ZwUnmapViewOfSection
SSDT 8A538640 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

INITc VolSnap.sys BA0F3BD0 4 Bytes [70, A5, 53, 80]
INITc VolSnap.sys BA0F3BF8 4 Bytes [B8, A1, 4F, 80]
INITc VolSnap.sys BA0F3C20 4 Bytes [B6, AE, 4F, 80]
INITc VolSnap.sys BA0F3C48 4 Bytes [30, FF, 4F, 80]
INITc VolSnap.sys BA0F3C70 4 Bytes [7A, A8, 4F, 80]
INITc ...
? C:\DOCUME~1\ADMINI~1.THE\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2012] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 00B16B70
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16D70
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0057000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0054000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0053000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0055000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0056000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2104] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0052000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0059000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0058000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 00B06B70
.text C:\Program Files\Internet Explorer\iexplore.exe[2728] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B06D70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 00B16B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16D70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 0057000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0052000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0051000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0053000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 0056000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3612] WS2_32.dll!recv 71AB676F 5 Bytes JMP 004F000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00E1000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 0059000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00E0000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0058000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 00B16B70
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3812] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 00B16D70

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:120] 8A5FEE7A
Thread System [4:124] 8A601008

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\httpapi32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----


I had followed my other posting about the root kit on this machine cause it had the Windows XP Recovery malware on it, it also made the things in the Start | All Programs| show as empty just as my other computer did. This one would not allow the Combo Fix to run, I have uninstalled the malwarebytes and run the mbam-clean. I have not tried to reinstall it yet nor anything more then getting these logs.

Edited by hamluis, 18 June 2011 - 02:31 PM.
Merged posts.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 18 June 2011 - 05:47 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 20 June 2011 - 06:43 AM

Here is the copy of combofix in safe mode. At first it did not want to go was hanging up but then after I left it off over night it went, I guess it wanted more then a few minutes rest.

ComboFix 11-06-19.0r1 - Administrator 06/20/2011 6:26.1.4 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3314.2992 [GMT -5:00]
Running from: c:\documents and settings\Administrator.Removed\Desktop\Erin\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\backupsearch\BackupSearch.exe
c:\documents and settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}
c:\documents and settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}\chrome.manifest
c:\documents and settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}\chrome\xulcache.jar
c:\documents and settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}\defaults\preferences\xulcache.js
c:\documents and settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}\install.rdf
c:\documents and settings\ECarey.Removed\GoToAssistDownloadHelper.exe
c:\documents and settings\ECarey.Removed\Start Menu\Programs\Windows XP Recovery
c:\documents and settings\ECarey.Removed\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
c:\documents and settings\ECarey.Removed\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
c:\windows\system32\srvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-16 16:00 . 2011-06-16 16:01 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-06-16 15:38 . 2011-06-16 15:38 -------- d-----w- C:\Support
2011-06-16 12:40 . 2011-06-16 12:40 -------- d-----w- c:\documents and settings\Administrator.Removed\Application Data\SPE
2011-06-09 14:51 . 2007-07-27 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-06-06 20:37 . 2011-06-06 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-06-06 20:37 . 2011-06-06 20:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-06 20:06 . 2011-06-06 20:06 -------- d-----w- C:\TEMP4
2011-06-06 19:50 . 2011-06-06 19:50 -------- d-----w- c:\documents and settings\ECarey.Removed\Local Settings\Application Data\Mozilla
2011-06-06 19:00 . 2011-06-06 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-06-06 19:00 . 2011-06-06 19:06 -------- d-----w- c:\documents and settings\Administrator.Removed\Local Settings\Application Data\NPE
2011-06-06 18:44 . 2011-06-06 18:43 6141880 ----a-w- C:\NPE.exe
2011-06-06 18:39 . 2011-06-06 18:39 -------- d-----w- c:\documents and settings\ECarey.Removed\Application Data\SUPERAntiSpyware.com
2011-06-06 18:39 . 2011-06-06 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-06 17:51 . 2011-06-06 17:51 388096 ----a-r- c:\documents and settings\Administrator.Removed\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-06 17:51 . 2011-06-06 17:51 -------- d-----w- c:\program files\Trend Micro
2011-05-23 22:57 . 2011-06-01 17:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-01 19:42 . 2011-04-01 19:42 680448 ----a-r- c:\documents and settings\ECarey.Removed\Application Data\Microsoft\Installer\{1A59E71B-8FC0-445A-B438-C2158306C892}\DocketSCANIcon.exe
2011-04-14 16:26 . 2011-06-06 19:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-06-13 16377344]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-08-04 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\ECarey.Removed\Start Menu\Programs\Startup\
AmbirScan.lnk - c:\program files\Ambir\AmbirScan 2.0\AmbirScan.exe [2009-12-9 680448]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2011-5-27 610120]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 04:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-12-24 02:47 618496 ----a-w- c:\program files\HP\DfaWep\bin\hpbdfawep.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-02-26 19:08 2289664 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-03-25 19:33 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolBoxFX]
2006-06-15 13:43 49152 ----a-w- c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ECAREY~1.THE\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ECAREY~1.THE\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ECAREY~1.THE\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ECAREY~1.THE\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/5/2009 5:47 PM 133104]
S3 BlackBox;BlackBox SR2; [x]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [8/4/2010 11:27 AM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/6/2010 8:45 AM 102448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/5/2009 5:47 PM 133104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 19:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-05 22:47]
.
2011-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-05 22:47]
.
2011-06-18 c:\windows\Tasks\User_Feed_Synchronization-{8883546C-F9F8-47CD-9658-94E2DF994497}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{771C0701-D5B7-4225-B2FB-348C1AC28DB1}: NameServer = 192.168.1.5
DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} - hxxp://192.168.0.95/pcsweb/activex/OBXViewer.cab
DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} - hxxp://192.168.0.95/pcsweb/activex/OBXSelect.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.51/TSWeb.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{0AB7AC0D-4313-4DBE-96C0-4EBF91B9DD66} - (no file)
BHO-{11DCD0B9-7AE6-4DC1-93B8-E057FD85EA6a} - (no file)
BHO-{156F581B-4313-4DBE-96C0-4EBF91B9DD66} - (no file)
BHO-{6C198697-95BE-1D9B-4767-23C9B8F31E37} - (no file)
SafeBoot-Symantec Antvirus
AddRemove-IntegratedTellerV10SP5 - c:\program files\PCS\Uninstall.exe
AddRemove-PrecisionV10SP5 - c:\program files\PCS\Vision\Uninstall.exe
AddRemove-ProgressV10SP5 - c:\program files\PCS\Progress\Uninstall.exe
AddRemove-VerifyV10SP5 - c:\program files\PCS\Verify\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-20 06:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3000319003-1465775636-1855818162-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,06,5d,f7,b1,e3,e5,48,b4,fe,7d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,06,5d,f7,b1,e3,e5,48,b4,fe,7d,\
.
Completion time: 2011-06-20 06:33:06
ComboFix-quarantined-files.txt 2011-06-20 11:33
.
Pre-Run: 50,788,859,904 bytes free
Post-Run: 51,373,924,352 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7F5B14D53DF07BF4CA8FF63EEA34F6E0

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 21 June 2011 - 08:30 AM

Hello


How are things doing at this time??

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 25 June 2011 - 02:35 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 27 June 2011 - 01:17 PM

Doing this today had some issues with family that had to be taken care of.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 27 June 2011 - 01:29 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 27 June 2011 - 01:39 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6961

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/27/2011 1:37:02 PM
mbam-log-2011-06-27 (13-37-02).txt

Scan type: Quick scan
Objects scanned: 206285
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 27 June 2011 - 01:42 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:40:32 PM, on 6/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Ambir\AmbirScan 2.0\AmbirScan.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Documents and Settings\ECarey.Removed\Desktop\mobankhelpdesk.exe
C:\DOCUME~1\ECAREY~1.THE\LOCALS~1\Temp\7zS4.tmp\winvnc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {0AB7AC0D-4313-4DBE-96C0-4EBF91B9DD66} - (no file)
O2 - BHO: (no name) - {11DCD0B9-7AE6-4DC1-93B8-E057FD85EA6a} - (no file)
O2 - BHO: (no name) - {156F581B-4313-4DBE-96C0-4EBF91B9DD66} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6C198697-95BE-1D9B-4767-23C9B8F31E37} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AmbirScan.lnk = C:\Program Files\Ambir\AmbirScan 2.0\AmbirScan.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://192.168.0.95/pcsweb/activex/OBXViewer.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237228237082
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237228226444
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://192.168.0.95/pcsweb/activex/OBXSelect.cab
O16 - DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - https://www.mesh.com/0.9.4014.51/TSWeb.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Removed.local
O17 - HKLM\Software\..\Telephony: DomainName = Removed.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{771C0701-D5B7-4225-B2FB-348C1AC28DB1}: NameServer = 192.168.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Removed.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Removed.local
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 10074 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 27 June 2011 - 01:54 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
      O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 27 June 2011 - 03:25 PM

Still getting popups.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=241474050491394fae88940f2ae853ce
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-06-27 08:13:05
# local_time=2011-06-27 03:13:05 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 896960 896960 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=103035
# found=9
# cleaned=0
# scan_time=4316
C:\Qoobox\Quarantine\C\Documents and Settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\ECarey.Removed\Application Data\Mozilla\Firefox\Profiles\v9qb8f93.default\extensions\{207500d9-2956-4efd-8388-23cb795ceb0f}\chrome\xulcache.jar.vir JS/Agent.NDB trojan (unable to clean) 00000000000000000000000000000000 I
C:\Software\Nero8\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe Win32/Toolbar.AskSBar application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80C17ED4-A365-464D-9260-37E7C4DF15FE}\RP862\A0065048.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80C17ED4-A365-464D-9260-37E7C4DF15FE}\RP863\A0065128.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80C17ED4-A365-464D-9260-37E7C4DF15FE}\RP864\A0065154.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80C17ED4-A365-464D-9260-37E7C4DF15FE}\RP864\A0065887.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80C17ED4-A365-464D-9260-37E7C4DF15FE}\RP864\A0067947.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{80C17ED4-A365-464D-9260-37E7C4DF15FE}\RP866\A0075259.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 27 June 2011 - 06:22 PM

tell me more about the popups


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 29 June 2011 - 09:01 AM

The pop ups are random, TMZ, facebook, twitter, Celebbuzz or something like that, Travel. Also when I go to the Start button, and all programs, Things that were installed before the infection are showing as Empty, such as Microsoft Office, Accessories and so forth. Things I have installed during the removal process are showing in there and are showing the different programs.

Another thing that is still happening with this computer, When I go to Internet Explorer and go to yahoo or google or any other search site, I can search for something and it will pull up a list. If I click on the links it will not take me to the site but a random site. Once at the random site I can not click the back button to get out of the site. Now if I right click on the link in the search site and open in new tab or window it will go to the site 98% of the time.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:56 AM

Posted 29 June 2011 - 04:37 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\ComboFix-quarantined-files.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 ABCB

ABCB
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 30 June 2011 - 03:51 PM

I will be gone for the next few days as it is a Holiday weekend here I will not be back till Tuesday July 5th. Will post this then. thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users