Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus - multiple Blue Screens


  • This topic is locked This topic is locked
16 replies to this topic

#1 StonetheCrow77

StonetheCrow77

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 07 September 2011 - 09:19 PM

Currently working on a PC and I believe it may have a virus causing it to crash. Any advise is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:15:09 PM, on 9/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe
C:\Program Files\Portrait Displays\Pivot Pro Plugin\wpctrl.exe
C:\Program Files\Portrait Displays\Pivot Pro Plugin\floater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.suddenlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.4.11.9.dll
O2 - BHO: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WINDOW~4\ToolBar\searchqudtx.dll (file missing)
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Searchqu Toolbar - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\PROGRA~1\WINDOW~4\ToolBar\searchqudtx.dll (file missing)
O3 - Toolbar: (no name) - !{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" -delay=10
O4 - HKLM\..\Run: [DT ACR] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [PMBVolumeWatcher] C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.4.11.9.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.unitedmilliondollarsummer.com
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: Portrait Displays SDK Service (PdiService) - Portrait Displays, Inc. - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
O23 - Service: PMBDeviceInfoProvider - Sony Corporation - C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 9559 bytes

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 PM

Posted 12 September 2011 - 09:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417975 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 13 September 2011 - 08:48 PM

the system is running extremely slow. it blue screens often. When I run DDS, it stops during the scan and blue screens the PC as well. As this is a 64 bit OS, I'm skipping the GMER.


•If you are unable to create a log please provide detailed information about your installed Windows Operating System:

Windows XP Professional
Version 2002
Service Pack 3
64bit system

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 14 September 2011 - 07:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

If you can boot to safe mode then please run this tool

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 14 September 2011 - 10:02 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-14 21:38:53
-----------------------------
21:38:53.640 OS Version: Windows 5.1.2600 Service Pack 3
21:38:53.640 Number of processors: 2 586 0xF06
21:38:53.640 ComputerName: KIMHOME UserName:
21:38:54.625 Initialize success
21:38:56.171 AVAST engine defs: 11091401
21:39:14.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2
21:39:14.531 Disk 0 Vendor: Intel___ 1.0. Size: 238416MB BusType: 3
21:39:14.546 Disk 0 MBR read successfully
21:39:14.562 Disk 0 MBR scan
21:39:15.000 Disk 0 Windows XP default MBR code
21:39:15.031 Disk 0 scanning sectors +488247480
21:39:15.671 Disk 0 scanning C:\WINDOWS\system32\drivers
21:39:28.765 Service scanning
21:39:32.156 Modules scanning
21:39:33.421 Disk 0 trace - called modules:
21:39:33.437
21:39:33.859 AVAST engine scan C:\WINDOWS
21:39:50.312 AVAST engine scan C:\WINDOWS\system32
21:41:00.484 AVAST engine scan C:\WINDOWS\system32\drivers
21:41:11.078 AVAST engine scan C:\Documents and Settings\Kim Phares
21:58:25.218 AVAST engine scan C:\Documents and Settings\All Users
22:00:00.921 Scan finished successfully
22:00:29.171 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kim Phares\Desktop\MBR.dat"
22:00:29.203 The log file has been saved successfully to "C:\Documents and Settings\Kim Phares\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 15 September 2011 - 04:36 PM

Was that run in safe mode or did you manage to boot it normally?
Posted Image
m0le is a proud member of UNITE

#7 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 15 September 2011 - 08:47 PM

Was that run in safe mode or did you manage to boot it normally?



Sorry, this was run in safe mode. Do I need to run it in normal mode?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 17 September 2011 - 05:52 AM

Run the tools in normal mode if possible. Let me know if you can't :thumbup2:

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 18 September 2011 - 12:30 PM

I can not run the aswMBR app in normal mode. Blue Screened with a IRQL error.

I was able to run combo fix in normal mode. See log:

ComboFix 11-09-18.01 - Kim Phares 09/18/2011 12:08:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.574 [GMT -5:00]
Running from: c:\documents and settings\Kim Phares\Desktop\comfix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Default User\Application Data\DPInst.exe
c:\documents and settings\Default User\Application Data\gacutil.exe
c:\documents and settings\Default User\Application Data\PnPutil.exe
c:\documents and settings\Kim Phares\Application Data\Mozilla\Firefox\Profiles\fmw78oc6.default\searchplugins\SearchquWebSearch.xml
c:\documents and settings\Kim Phares\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Kim Phares\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\Kim Phares\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini
c:\documents and settings\Kim Phares\Local Settings\Application Data\ApplicationHistory\hpqselsk.exe.a048b05c.ini
c:\documents and settings\Kim Phares\Local Settings\Application Data\ApplicationHistory\hpqthb08.exe.a935d1e0.ini
c:\documents and settings\Kim Phares\Local Settings\Application Data\ApplicationHistory\PerSonoPro_Agent.exe.b431a2d.ini
c:\program files\Mozilla Firefox\searchplugins\SearchquWebSearch.xml
c:\windows\$MSI31Uninstall_KB893803v2$
c:\windows\$MSI31Uninstall_KB893803v2$\msi.dll
c:\windows\$MSI31Uninstall_KB893803v2$\msiexec.exe
c:\windows\$MSI31Uninstall_KB893803v2$\msihnd.dll
c:\windows\$MSI31Uninstall_KB893803v2$\msimsg.dll
c:\windows\$MSI31Uninstall_KB893803v2$\msisip.dll
c:\windows\$MSI31Uninstall_KB893803v2$\reg00013
c:\windows\$MSI31Uninstall_KB893803v2$\reg00014
c:\windows\$MSI31Uninstall_KB893803v2$\reg00015
c:\windows\$MSI31Uninstall_KB893803v2$\reg00016
c:\windows\$MSI31Uninstall_KB893803v2$\reg00017
c:\windows\$MSI31Uninstall_KB893803v2$\reg00018
c:\windows\$MSI31Uninstall_KB893803v2$\reg00019
c:\windows\$MSI31Uninstall_KB893803v2$\reg00020
c:\windows\$MSI31Uninstall_KB893803v2$\reg00021
c:\windows\$MSI31Uninstall_KB893803v2$\reg00022
c:\windows\$MSI31Uninstall_KB893803v2$\reg00023
c:\windows\$MSI31Uninstall_KB893803v2$\reg00024
c:\windows\$MSI31Uninstall_KB893803v2$\reg00025
c:\windows\$MSI31Uninstall_KB893803v2$\reg00026
c:\windows\$MSI31Uninstall_KB893803v2$\reg00027
c:\windows\$MSI31Uninstall_KB893803v2$\reg00028
c:\windows\$MSI31Uninstall_KB893803v2$\reg00029
c:\windows\$MSI31Uninstall_KB893803v2$\reg00030
c:\windows\$MSI31Uninstall_KB893803v2$\reg00031
c:\windows\$MSI31Uninstall_KB893803v2$\reg00032
c:\windows\$MSI31Uninstall_KB893803v2$\reg00033
c:\windows\$MSI31Uninstall_KB893803v2$\reg00034
c:\windows\$MSI31Uninstall_KB893803v2$\reg00035
c:\windows\$MSI31Uninstall_KB893803v2$\reg00036
c:\windows\$MSI31Uninstall_KB893803v2$\reg00037
c:\windows\$MSI31Uninstall_KB893803v2$\reg00038
c:\windows\$MSI31Uninstall_KB893803v2$\reg00039
c:\windows\$MSI31Uninstall_KB893803v2$\reg00040
c:\windows\$MSI31Uninstall_KB893803v2$\reg00041
c:\windows\$MSI31Uninstall_KB893803v2$\reg00042
c:\windows\$MSI31Uninstall_KB893803v2$\reg00043
c:\windows\$MSI31Uninstall_KB893803v2$\reg00044
c:\windows\$MSI31Uninstall_KB893803v2$\reg00045
c:\windows\$MSI31Uninstall_KB893803v2$\reg00046
c:\windows\$MSI31Uninstall_KB893803v2$\reg00047
c:\windows\$MSI31Uninstall_KB893803v2$\reg00048
c:\windows\$MSI31Uninstall_KB893803v2$\reg00051
c:\windows\$MSI31Uninstall_KB893803v2$\reg00052
c:\windows\$MSI31Uninstall_KB893803v2$\reg00053
c:\windows\$MSI31Uninstall_KB893803v2$\reg00054
c:\windows\$MSI31Uninstall_KB893803v2$\reg00055
c:\windows\$MSI31Uninstall_KB893803v2$\reg00056
c:\windows\$MSI31Uninstall_KB893803v2$\reg00057
c:\windows\$MSI31Uninstall_KB893803v2$\reg00058
c:\windows\$MSI31Uninstall_KB893803v2$\reg00059
c:\windows\$MSI31Uninstall_KB893803v2$\reg00060
c:\windows\$MSI31Uninstall_KB893803v2$\reg00061
c:\windows\$MSI31Uninstall_KB893803v2$\reg00062
c:\windows\$MSI31Uninstall_KB893803v2$\reg00063
c:\windows\$MSI31Uninstall_KB893803v2$\reg00064
c:\windows\$MSI31Uninstall_KB893803v2$\reg00065
c:\windows\$MSI31Uninstall_KB893803v2$\reg00066
c:\windows\$MSI31Uninstall_KB893803v2$\reg00067
c:\windows\$MSI31Uninstall_KB893803v2$\reg00068
c:\windows\$MSI31Uninstall_KB893803v2$\reg00069
c:\windows\$MSI31Uninstall_KB893803v2$\reg00070
c:\windows\$MSI31Uninstall_KB893803v2$\reg00071
c:\windows\$MSI31Uninstall_KB893803v2$\reg00072
c:\windows\$MSI31Uninstall_KB893803v2$\reg00073
c:\windows\$MSI31Uninstall_KB893803v2$\reg00074
c:\windows\$MSI31Uninstall_KB893803v2$\reg00075
c:\windows\$MSI31Uninstall_KB893803v2$\reg00076
c:\windows\$MSI31Uninstall_KB893803v2$\reg00077
c:\windows\$MSI31Uninstall_KB893803v2$\reg00078
c:\windows\$MSI31Uninstall_KB893803v2$\reg00079
c:\windows\$MSI31Uninstall_KB893803v2$\reg00080
c:\windows\$MSI31Uninstall_KB893803v2$\reg00081
c:\windows\$MSI31Uninstall_KB893803v2$\reg00082
c:\windows\$MSI31Uninstall_KB893803v2$\reg00083
c:\windows\$MSI31Uninstall_KB893803v2$\reg00084
c:\windows\$MSI31Uninstall_KB893803v2$\reg00085
c:\windows\$MSI31Uninstall_KB893803v2$\reg00086
c:\windows\$MSI31Uninstall_KB893803v2$\reg00087
c:\windows\$MSI31Uninstall_KB893803v2$\reg00088
c:\windows\$MSI31Uninstall_KB893803v2$\reg00089
c:\windows\$MSI31Uninstall_KB893803v2$\reg00090
c:\windows\$MSI31Uninstall_KB893803v2$\reg00091
c:\windows\$MSI31Uninstall_KB893803v2$\reg00092
c:\windows\$MSI31Uninstall_KB893803v2$\reg00093
c:\windows\$MSI31Uninstall_KB893803v2$\reg00094
c:\windows\$MSI31Uninstall_KB893803v2$\reg00095
c:\windows\$MSI31Uninstall_KB893803v2$\reg00096
c:\windows\$MSI31Uninstall_KB893803v2$\reg00097
c:\windows\$MSI31Uninstall_KB893803v2$\reg00098
c:\windows\$MSI31Uninstall_KB893803v2$\reg00099
c:\windows\$MSI31Uninstall_KB893803v2$\reg00100
c:\windows\$MSI31Uninstall_KB893803v2$\reg00101
c:\windows\$MSI31Uninstall_KB893803v2$\reg00102
c:\windows\$MSI31Uninstall_KB893803v2$\reg00103
c:\windows\$MSI31Uninstall_KB893803v2$\reg00104
c:\windows\$MSI31Uninstall_KB893803v2$\reg00105
c:\windows\$MSI31Uninstall_KB893803v2$\reg00106
c:\windows\$MSI31Uninstall_KB893803v2$\reg00107
c:\windows\$MSI31Uninstall_KB893803v2$\reg00108
c:\windows\$MSI31Uninstall_KB893803v2$\reg00109
c:\windows\$MSI31Uninstall_KB893803v2$\reg00110
c:\windows\$MSI31Uninstall_KB893803v2$\reg00111
c:\windows\$MSI31Uninstall_KB893803v2$\reg00112
c:\windows\$MSI31Uninstall_KB893803v2$\reg00113
c:\windows\$MSI31Uninstall_KB893803v2$\reg00114
c:\windows\$MSI31Uninstall_KB893803v2$\reg00115
c:\windows\$MSI31Uninstall_KB893803v2$\reg00116
c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe
c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.inf
c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.txt
c:\windows\$MSI31Uninstall_KB893803v2$\spuninst\updspapi.dll
c:\windows\system32\comct332.ocx
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-08-18 to 2011-09-18 )))))))))))))))))))))))))))))))
.
.
2011-09-17 02:23 . 2011-09-17 02:23 398760 ----a-r- c:\windows\cpnprt2.cid
2011-09-17 02:23 . 2011-09-17 02:23 398760 ------w- c:\windows\system32\cpnprt2.cid
2011-09-17 02:22 . 2011-09-17 02:22 -------- d-----w- c:\program files\Coupons
2011-09-08 23:25 . 2011-09-08 23:25 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Eastman_Kodak_Company
2011-09-08 23:22 . 2011-09-08 23:22 -------- d-----w- c:\windows\system32\kodak
2011-09-08 23:17 . 2011-09-08 23:17 -------- d-----w- c:\documents and settings\Default User\Application Data\Temp
2011-09-08 02:14 . 2011-09-08 02:14 388096 ----a-r- c:\documents and settings\Kim Phares\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-08 02:14 . 2011-09-08 02:14 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-26 17:10 . 2011-06-05 21:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-08-08 1407848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" [2010-05-13 110192]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-06-30 121456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-06-16 2510848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-09-05 2232752]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-1-31 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgentMonitor]
2010-12-21 08:53 326048 ----a-w- c:\program files\VTech\DownloadManager\System\AgentMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 21:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 19:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2011-01-08 04:09 585728 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-09-06 02:24 405504 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21260:TCP"= 21260:TCP:BitComet 21260 TCP
"21260:UDP"= 21260:UDP:BitComet 21260 UDP
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/25/2011 2:03 AM 218592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [5/25/2011 2:26 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [5/25/2011 2:26 AM 59664]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/16/2010 12:44 PM 165584]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/25/2011 2:03 AM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/16/2010 12:44 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [9/5/2011 5:00 PM 393648]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/16/2010 3:06 PM 80896]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [4/12/2011 6:45 PM 109168]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [11/27/2010 12:55 AM 398176]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/18/2011 9:20 PM 100456]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [3/19/2011 2:17 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 7:01 PM 21248]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/25/2011 2:03 AM 63360]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/25/2011 2:03 AM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [5/25/2011 2:26 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.suddenlink.net/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: unitedmilliondollarsummer.com
TCP: DhcpNameServer = 208.180.83.133 208.180.42.68
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Kim Phares\Application Data\Mozilla\Firefox\Profiles\fmw78oc6.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.literotica.com/
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKCU-Run-BitComet - c:\program files\BitComet\BitComet.exe
MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-18 12:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1100)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-09-18 12:17:11
ComboFix-quarantined-files.txt 2011-09-18 17:17
.
Pre-Run: 185,189,040,128 bytes free
Post-Run: 186,507,681,792 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - EE1214DA174F574BA53D91A0B0DE28A5



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 18 September 2011 - 06:22 PM

Please rerun Combofix as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\Kim Phares\Application Data\Mozilla\Firefox\Profiles\fmw78oc6.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL -


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please next run ESET

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

Edited by m0le, 18 September 2011 - 06:22 PM.

Posted Image
m0le is a proud member of UNITE

#11 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 19 September 2011 - 07:31 AM

Ran comfix as instructed. This is the log.

ComboFix 11-09-18.03 - Kim Phares 09/18/2011 21:29:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.682 [GMT -5:00]
Running from: c:\documents and settings\Kim Phares\Desktop\comfix.exe
Command switches used :: c:\documents and settings\Kim Phares\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))
.
.
2011-09-18 20:03 . 2011-09-18 20:47 -------- d-----w- c:\documents and settings\Kim Phares\Application Data\gtk-2.0
2011-09-18 20:03 . 2011-09-18 20:03 -------- d-----w- c:\documents and settings\Kim Phares\.thumbnails
2011-09-18 20:02 . 2011-09-18 21:10 -------- d-----w- c:\documents and settings\Kim Phares\.gimp-2.6
2011-09-18 20:01 . 2011-09-18 20:01 -------- d-----w- c:\program files\GIMP-2.0
2011-09-18 19:40 . 2011-09-18 19:40 -------- d-----w- c:\documents and settings\Kim Phares\Local Settings\Application Data\Corel
2011-09-18 19:36 . 2011-09-18 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2011-09-18 19:36 . 2011-09-18 19:39 -------- d-----w- c:\program files\Common Files\Corel
2011-09-18 19:36 . 2011-09-18 19:36 -------- d-----w- c:\program files\Corel
2011-09-18 19:34 . 2005-05-26 20:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2011-09-18 19:34 . 2011-09-18 19:35 -------- d-----w- c:\windows\LastGood
2011-09-17 02:23 . 2011-09-17 02:23 398760 ----a-r- c:\windows\cpnprt2.cid
2011-09-17 02:23 . 2011-09-17 02:23 398760 ------w- c:\windows\system32\cpnprt2.cid
2011-09-17 02:22 . 2011-09-17 02:22 -------- d-----w- c:\program files\Coupons
2011-09-08 23:25 . 2011-09-08 23:25 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Eastman_Kodak_Company
2011-09-08 23:22 . 2011-09-08 23:22 -------- d-----w- c:\windows\system32\kodak
2011-09-08 23:17 . 2011-09-08 23:17 -------- d-----w- c:\documents and settings\Default User\Application Data\Temp
2011-09-08 02:14 . 2011-09-08 02:14 388096 ----a-r- c:\documents and settings\Kim Phares\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-08 02:14 . 2011-09-08 02:14 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-26 17:10 . 2011-06-05 21:58 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-18_17.15.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 05:46 . 2006-12-02 05:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2005-09-23 06:35 . 2005-09-23 06:35 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867\vcomp.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 05:26 . 2006-12-02 05:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 03:56 . 2006-12-02 03:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2005-09-23 04:49 . 2005-09-23 04:49 95744 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_6e805841\ATL80.dll
+ 2011-09-18 19:34 . 2005-12-05 23:07 61136 c:\windows\system32\xinput9_1_0.dll
+ 2011-09-18 19:35 . 2007-04-04 23:53 81768 c:\windows\system32\xinput1_3.dll
+ 2011-09-18 19:35 . 2006-07-28 14:30 62744 c:\windows\system32\xinput1_2.dll
+ 2011-09-18 19:35 . 2006-03-31 17:39 62672 c:\windows\system32\xinput1_1.dll
+ 2011-09-18 19:35 . 2007-10-22 08:37 17928 c:\windows\system32\X3DAudio1_2.dll
+ 2011-09-18 19:35 . 2007-03-05 17:42 15128 c:\windows\system32\x3daudio1_1.dll
+ 2011-09-18 19:34 . 2006-02-03 13:41 14032 c:\windows\system32\x3daudio1_0.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 12800 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Diagnostics.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 53248 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2011-09-18 19:35 . 2007-06-21 01:45 18280 c:\windows\LastGood\system32\x3daudio1_2.dll
+ 2011-09-18 19:35 . 2006-09-28 21:03 15128 c:\windows\LastGood\system32\x3daudio1_1.dll
+ 2011-09-18 19:35 . 2006-02-03 13:41 14032 c:\windows\LastGood\system32\x3daudio1_0.dll
+ 2011-09-18 19:41 . 2011-09-18 19:41 53248 c:\windows\Installer\{DE4BF4BE-3CDC-43B5-BBDA-DDDA73103111}\ARPPRODUCTICON.exe
+ 2011-09-18 19:35 . 2011-09-18 19:35 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2011-09-18 19:35 . 2007-07-20 05:57 267112 c:\windows\system32\xactengine2_9.dll
+ 2011-09-18 19:35 . 2007-06-21 01:46 266088 c:\windows\system32\xactengine2_8.dll
+ 2011-09-18 19:35 . 2007-04-04 23:55 261480 c:\windows\system32\xactengine2_7.dll
+ 2011-09-18 19:35 . 2007-01-24 20:27 255848 c:\windows\system32\xactengine2_6.dll
+ 2011-09-18 19:35 . 2006-12-08 17:02 251672 c:\windows\system32\xactengine2_5.dll
+ 2011-09-18 19:35 . 2006-09-28 21:05 237848 c:\windows\system32\xactengine2_4.dll
+ 2011-09-18 19:35 . 2006-07-28 14:30 236824 c:\windows\system32\xactengine2_3.dll
+ 2011-09-18 19:35 . 2006-05-31 12:24 230168 c:\windows\system32\xactengine2_2.dll
+ 2011-09-18 19:35 . 2007-10-22 08:39 267272 c:\windows\system32\xactengine2_10.dll
+ 2011-09-18 19:35 . 2006-03-31 17:39 229584 c:\windows\system32\xactengine2_1.dll
+ 2011-09-18 19:34 . 2006-02-03 13:42 230096 c:\windows\system32\xactengine2_0.dll
+ 2011-09-18 19:35 . 2007-10-02 14:56 444776 c:\windows\system32\d3dx10_36.dll
+ 2011-09-18 19:35 . 2007-07-19 23:14 444776 c:\windows\system32\d3dx10_35.dll
+ 2011-09-18 19:35 . 2007-05-16 21:45 443752 c:\windows\system32\d3dx10_34.dll
+ 2011-09-18 19:35 . 2007-03-15 21:57 443752 c:\windows\system32\d3dx10_33.dll
+ 2011-09-18 19:35 . 2006-03-31 16:27 578560 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2006-02-03 12:40 578560 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-12-05 22:20 577536 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-09-28 19:11 577536 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2908.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-07-22 22:21 577024 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-05-26 20:15 576000 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2906.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-03-18 22:23 567296 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-02-06 00:32 563712 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 223232 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 178176 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectSound.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 364544 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectPlay.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 159232 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectInput.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 145920 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.DirectDraw.dll
+ 2011-09-18 19:35 . 2005-03-18 21:23 473600 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3D.dll
+ 2011-09-18 19:34 . 2011-09-18 19:34 332288 c:\windows\Installer\8f20cf.msi
+ 2011-09-18 19:35 . 2011-09-18 19:35 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2011-09-18 19:35 . 2007-10-12 20:14 3734536 c:\windows\system32\d3dx9_36.dll
+ 2011-09-18 19:35 . 2007-05-16 21:45 3497832 c:\windows\system32\d3dx9_34.dll
+ 2011-09-18 19:35 . 2007-03-12 21:42 3495784 c:\windows\system32\d3dx9_33.dll
+ 2011-09-18 19:35 . 2006-11-29 18:06 3426072 c:\windows\system32\d3dx9_32.dll
+ 2011-09-18 19:35 . 2006-09-28 21:05 2414360 c:\windows\system32\d3dx9_31.dll
+ 2011-09-18 19:34 . 2006-02-03 13:43 2332368 c:\windows\system32\d3dx9_29.dll
+ 2011-09-18 19:34 . 2005-12-05 23:09 2323664 c:\windows\system32\d3dx9_28.dll
+ 2011-09-18 19:34 . 2005-07-23 00:59 2319568 c:\windows\system32\d3dx9_27.dll
+ 2011-09-18 19:34 . 2005-03-18 22:19 2337488 c:\windows\system32\d3dx9_25.dll
+ 2011-09-18 19:34 . 2005-02-06 00:45 2222800 c:\windows\system32\d3dx9_24.dll
+ 2011-09-18 19:35 . 2007-10-12 20:14 1374232 c:\windows\system32\D3DCompiler_36.dll
+ 2011-09-18 19:35 . 2007-07-19 23:14 1358192 c:\windows\system32\D3DCompiler_35.dll
+ 2011-09-18 19:35 . 2007-05-16 21:45 1124720 c:\windows\system32\D3DCompiler_34.dll
+ 2011-09-18 19:35 . 2007-03-12 21:42 1123696 c:\windows\system32\D3DCompiler_33.dll
+ 2011-09-18 19:35 . 2004-12-01 20:53 2846720 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2004-09-29 17:38 2676224 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2007-07-19 23:14 3727720 c:\windows\LastGood\system32\d3dx9_35.dll
+ 2011-09-18 19:34 . 2006-03-31 17:40 2388176 c:\windows\LastGood\system32\d3dx9_30.dll
+ 2011-09-18 19:41 . 2011-09-18 19:41 3451392 c:\windows\Installer\8f236e.msi
+ 2011-09-18 19:35 . 2011-09-18 19:35 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-09-18 19:35 . 2011-09-18 19:35 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-08-08 1407848]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2010-06-27 526992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Pro Plugin\Pivot_startup.exe" [2010-05-13 110192]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-06-30 121456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-11-27 648032]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2011-06-16 2510848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-09-05 2232752]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-1-31 6144]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AgentMonitor]
2010-12-21 08:53 326048 ----a-w- c:\program files\VTech\DownloadManager\System\AgentMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 21:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 19:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTC Sync Loader]
2011-01-08 04:09 585728 ----a-w- c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDTSysTrayApp]
2007-09-06 02:24 405504 ----a-w- c:\windows\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-02-26 00:28 212992 ----a-w- c:\progra~1\Nero\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\VTech\\DownloadManager\\System\\AgentMonitor.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21260:TCP"= 21260:TCP:BitComet 21260 TCP
"21260:UDP"= 21260:UDP:BitComet 21260 UDP
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/25/2011 2:03 AM 218592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [5/25/2011 2:26 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [5/25/2011 2:26 AM 59664]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/16/2010 12:44 PM 165584]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/25/2011 2:03 AM 233136]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/16/2010 12:44 PM 17744]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKAiOHostService.exe [9/5/2011 5:00 PM 393648]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [9/16/2010 3:06 PM 80896]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [4/12/2011 6:45 PM 109168]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [11/27/2010 12:55 AM 398176]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [4/18/2011 9:20 PM 100456]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [3/19/2011 2:17 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [6/22/2010 7:01 PM 21248]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/25/2011 2:03 AM 63360]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/25/2011 2:03 AM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [5/25/2011 2:26 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.suddenlink.net/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: unitedmilliondollarsummer.com
TCP: DhcpNameServer = 208.180.83.133 208.180.42.68
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Kim Phares\Application Data\Mozilla\Firefox\Profiles\fmw78oc6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.literotica.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Corel File Shell Monitor - c:\program files\Corel\Corel PaintShop Photo Pro\X3\PSPClassic\CorelIOMonitor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-18 21:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1100)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-18 21:37:04
ComboFix-quarantined-files.txt 2011-09-19 02:37
ComboFix2.txt 2011-09-18 17:17
.
Pre-Run: 184,797,147,136 bytes free
Post-Run: 185,350,488,064 bytes free
.
- - End Of File - - FDEFC612C5ADEDB6FEB1CB19C0F57930


Ran ESET as instructed. Exported log, see below.

C:\Documents and Settings\Kim Phares\Application Data\Sun\Java\Deployment\cache\6.0\1\18f94b81-14ba9075 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Documents and Settings\Kim Phares\Application Data\Sun\Java\Deployment\cache\6.0\43\775a696b-5d7e4d5f Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 19 September 2011 - 04:57 PM

How is the machine running now?
Posted Image
m0le is a proud member of UNITE

#13 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 19 September 2011 - 08:05 PM

How is the machine running now?



PC is running ok. We shall see if it blue screens any time soon!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:37 AM

Posted 19 September 2011 - 08:10 PM

Let's give it a bit of time and see. :)
Posted Image
m0le is a proud member of UNITE

#15 StonetheCrow77

StonetheCrow77
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 19 September 2011 - 08:22 PM

Let's give it a bit of time and see. :)


Thank you very much for your assistance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users