I'm not sure what was happening this morning but My wife was trying to print an email, and she said something was wrong. there was a light blue screen I've never seen before with her email windows on top. It had words on it. It looked like some sort of "HA HA We've taken over" screen. I pushed the button to turn the computer off. tried to reboot could install AVG. The location for the download was blocked. I tried to make the download locations not be "read only" but nothing worked and I couldn't even change the location it was greyed out. I started to get requests for Administrator passwords when I tried to change the location. I rebooted in Safe mode, Started AVG,downloaded from my other computer. It picked up no threats. the Malewarebytes, however, now had quarantined 2 files I had not seen before. One is a Passwords generator. I wrote down what they were before deleting. I did the DDS in Safe Mode. It's included below. I'm now in Safe Mode with Networking. I'm nervous about transferring anything to my other computer with my USB Stick.
Spyware.Passwords.Xgen c:\documents and settings|Frances|local settings\Temp494A.tmp
Trojan agent.Gen c:\documents and settings|allusers\application Data\Defender1.exe.exe
.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33
Run by Administrator at 19:22:29 on 2012-06-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.661 [GMT -7:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\setup_11.0.0.1245.x01_2012_06_22_16_41.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\7586332.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3454357\7586332.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = "c:\docume~1\frances\desktop\outloo~1\msimn.exe"
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [frxmxins] frxmxins
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\_uninst_.lnk - c:\documents and settings\administrator\local settings\temp\_uninst_.bat
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.clarkcolor.com/ClarkActivia.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://aon.webex.com/client/T25L10NSP41EP7/webex/ieatgpc.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ucmmjbyv.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\frances\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\frances\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
S2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2010-8-12 810144]
S2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [2005-1-16 53248]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-14 654408]
S2 PPPoEService;PPPoE Service;c:\progra~1\nts\entern~1\app\pppoeservice.exe --> c:\progra~1\nts\entern~1\app\pppoeservice.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-29 257696]
S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [2005-1-16 417061]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-5-14 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-29 129976]
.
=============== Created Last 30 ================
.
2012-06-22 15:01:03 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-22 15:01:03 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-20 13:51:06 518144 ----a-w- c:\windows\SWREG.exe
2012-06-20 13:51:06 256000 ----a-w- c:\windows\PEV.exe
2012-06-20 13:51:06 208896 ----a-w- c:\windows\MBR.exe
2012-06-20 13:51:05 98816 ----a-w- c:\windows\sed.exe
2012-06-20 05:15:19 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-20 04:52:34 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 14:29:31 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-06-16 14:29:30 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-06-16 14:29:30 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-06-16 14:29:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-06-13 02:25:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 02:25:34 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-30 01:58:31 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-29 14:49:32 -------- d-----w- c:\program files\Mozilla Maintenance Service
.
==================== Find3M ====================
.
2012-06-13 02:25:02 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-30 02:01:24 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 19:24:04.90 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/16/2005 12:43:54 PM
System Uptime: 6/22/2012 8:24:00 AM (11 hours ago)
.
Motherboard: Dell Computer Corp. | |
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2784/533mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 31.033 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 699 GiB total, 637.908 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP289: 3/25/2012 5:25:38 AM - System Checkpoint
RP290: 3/26/2012 8:12:52 AM - System Checkpoint
RP291: 3/27/2012 1:22:24 PM - System Checkpoint
RP292: 3/28/2012 1:50:02 PM - System Checkpoint
RP293: 3/29/2012 2:26:38 PM - System Checkpoint
RP294: 3/30/2012 2:42:12 PM - System Checkpoint
RP295: 3/31/2012 3:26:35 PM - System Checkpoint
RP296: 4/1/2012 3:27:39 PM - System Checkpoint
RP297: 4/2/2012 3:53:59 PM - System Checkpoint
RP298: 4/3/2012 3:56:22 PM - System Checkpoint
RP299: 4/4/2012 4:16:52 PM - System Checkpoint
RP300: 4/5/2012 4:22:39 PM - System Checkpoint
RP301: 4/6/2012 5:20:29 PM - System Checkpoint
RP302: 4/7/2012 5:41:34 PM - System Checkpoint
RP303: 4/8/2012 5:56:07 PM - System Checkpoint
RP304: 4/9/2012 6:08:07 PM - System Checkpoint
RP305: 4/10/2012 6:42:55 PM - System Checkpoint
RP306: 4/11/2012 8:50:12 AM - Software Distribution Service 3.0
RP307: 4/12/2012 10:01:33 AM - System Checkpoint
RP308: 4/13/2012 10:48:15 AM - System Checkpoint
RP309: 4/14/2012 8:25:44 PM - System Checkpoint
RP310: 4/15/2012 9:42:50 PM - System Checkpoint
RP311: 4/16/2012 9:47:08 PM - System Checkpoint
RP312: 4/17/2012 10:47:09 PM - System Checkpoint
RP313: 4/18/2012 11:11:20 PM - System Checkpoint
RP314: 4/19/2012 1:15:01 PM - Installed QuickTime
RP315: 4/20/2012 1:24:07 PM - System Checkpoint
RP316: 4/21/2012 2:23:56 PM - System Checkpoint
RP317: 4/22/2012 3:25:00 PM - System Checkpoint
RP318: 4/23/2012 4:23:55 PM - System Checkpoint
RP319: 4/24/2012 5:20:14 PM - System Checkpoint
RP320: 4/25/2012 6:30:50 PM - System Checkpoint
RP321: 4/26/2012 7:21:19 PM - System Checkpoint
RP322: 4/27/2012 7:43:38 PM - System Checkpoint
RP323: 4/28/2012 8:37:59 PM - System Checkpoint
RP324: 4/29/2012 9:37:58 PM - System Checkpoint
RP325: 4/30/2012 10:07:20 PM - System Checkpoint
RP326: 5/1/2012 10:36:38 PM - System Checkpoint
RP327: 5/2/2012 10:59:15 PM - System Checkpoint
RP328: 5/3/2012 11:59:14 PM - System Checkpoint
RP329: 5/5/2012 12:59:19 AM - System Checkpoint
RP330: 5/6/2012 1:59:15 AM - System Checkpoint
RP331: 5/7/2012 2:50:19 AM - System Checkpoint
RP332: 5/8/2012 3:50:18 AM - System Checkpoint
RP333: 5/9/2012 4:50:20 AM - System Checkpoint
RP334: 5/10/2012 8:57:12 AM - System Checkpoint
RP335: 5/10/2012 1:13:35 PM - Software Distribution Service 3.0
RP336: 5/11/2012 1:30:29 PM - System Checkpoint
RP337: 5/12/2012 1:52:39 PM - System Checkpoint
RP338: 5/13/2012 2:40:36 PM - System Checkpoint
RP339: 5/14/2012 3:15:29 PM - System Checkpoint
RP340: 5/15/2012 3:43:46 PM - System Checkpoint
RP341: 5/16/2012 4:42:09 PM - System Checkpoint
RP342: 5/17/2012 5:30:11 PM - System Checkpoint
RP343: 5/18/2012 5:43:41 PM - System Checkpoint
RP344: 5/19/2012 6:30:10 PM - System Checkpoint
RP345: 5/20/2012 7:30:08 PM - System Checkpoint
RP346: 5/21/2012 8:07:08 PM - System Checkpoint
RP347: 5/22/2012 8:42:21 PM - System Checkpoint
RP348: 5/23/2012 8:42:41 PM - System Checkpoint
RP349: 5/24/2012 8:43:48 PM - System Checkpoint
RP350: 5/25/2012 9:20:43 PM - System Checkpoint
RP351: 5/26/2012 10:20:45 PM - System Checkpoint
RP352: 5/27/2012 11:20:44 PM - System Checkpoint
RP353: 5/28/2012 11:27:32 PM - System Checkpoint
RP354: 5/29/2012 11:40:20 PM - System Checkpoint
RP355: 5/30/2012 11:58:35 PM - System Checkpoint
RP356: 6/1/2012 12:58:36 AM - System Checkpoint
RP357: 6/2/2012 6:56:36 AM - System Checkpoint
RP358: 6/3/2012 7:54:39 AM - System Checkpoint
RP359: 6/4/2012 7:50:42 PM - System Checkpoint
RP360: 6/5/2012 8:50:30 PM - System Checkpoint
RP361: 6/6/2012 9:38:21 PM - System Checkpoint
RP362: 6/7/2012 10:38:20 PM - System Checkpoint
RP363: 6/8/2012 10:59:34 PM - System Checkpoint
RP364: 6/9/2012 11:57:51 PM - System Checkpoint
RP365: 6/11/2012 12:05:40 AM - System Checkpoint
RP366: 6/12/2012 12:12:42 AM - System Checkpoint
RP367: 6/12/2012 7:24:08 PM - Removed Java™ 6 Update 26
RP368: 6/12/2012 7:24:49 PM - Installed Java™ 6 Update 33
RP369: 6/13/2012 8:11:58 PM - Software Distribution Service 3.0
RP370: 6/14/2012 8:23:23 PM - System Checkpoint
RP371: 6/15/2012 9:07:50 PM - System Checkpoint
RP372: 6/16/2012 9:37:07 PM - System Checkpoint
RP373: 6/17/2012 10:21:14 PM - System Checkpoint
RP374: 6/18/2012 10:35:53 PM - System Checkpoint
RP375: 6/19/2012 10:15:38 PM - Software Distribution Service 3.0
RP376: 6/20/2012 7:26:11 AM - Removed Skype™ 5.8
RP377: 6/21/2012 10:07:24 AM - System Checkpoint
.
==== Installed Programs ======================
.
2Wire Wireless Client
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader X (10.1.3)
Apple Application Support
Apple Software Update
AT&T Yahoo! High Speed Internet Home Networking Installer
ATI - Software Uninstall Utility
ATI Display Driver
Canon iP2600 series
Canon iP2600 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Critical Update for Windows Media Player 11 (KB959772)
Dell ResourceCD
Drive Manager
ESET Online Scanner v3
ESET Smart Security
GoToAssist Corporate
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® PRO Ethernet Adapter and Software
iTunes
Java Auto Updater
Java™ 6 Update 33
Junk Mail filter update
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Excel 97
Microsoft IntelliPoint 7.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 97
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
Norton SystemWorks
Picture Package Music Transfer
QuickTime
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Sony Picture Utility
SpywareBlaster 4.6
Symantec Technical Support Web Controls
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebEx
WebFldrs XP
Windows 7 Upgrade Advisor
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
6/22/2012 8:26:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/22/2012 8:26:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ehdrv epfwtdi Fips intelppm IPSec Lbd MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
6/22/2012 8:26:01 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
6/22/2012 8:25:47 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/22/2012 8:25:43 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
6/22/2012 7:53:52 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
6/22/2012 11:59:51 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
6/20/2012 8:06:48 AM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/20/2012 8:06:48 AM, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not start due to a logon failure.
6/19/2012 9:46:16 AM, error: Print [6161] - The document http://msn.careerbui...nterviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 115608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0).
6/19/2012 9:44:44 AM, error: Print [6161] - The document http://msn.careerbui...nterviewing-The- owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 115440. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0).
6/19/2012 9:00:46 PM, error: Print [6161] - The document https://hrjobs.trave...E/HRMS/c/HRS_HR owned by Frances failed to print on printer Canon iP2600 series. Data type: NT EMF 1.008. Size of the spool file in bytes: 196608. Number of bytes printed: 39100. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\JIM2-88XVZV9YF. Win32 error code returned by the print processor: 0 (0x0).
6/19/2012 11:41:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd SASDIFSV SASKUTIL
6/19/2012 11:41:15 AM, error: Service Control Manager [7000] - The iPodService service failed to start due to the following error: %1 is not a valid Win32 application.
6/19/2012 11:41:14 AM, error: DCOM [10005] - DCOM got error "%193" attempting to start the service iPodService with arguments "-Service" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
6/19/2012 11:41:07 AM, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
6/19/2012 11:41:07 AM, error: Service Control Manager [7000] - The PPPoE Service service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================
-
This topic is locked
40 replies to this topic
#22
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 09:00 AM
Let us now explain how to proceed, because obviously I was not clear enough: Your system is infected, it is susceptible to becoming infected, as already discovered yourself. You should not use this computer for any other important activities, except what we're doing here. You are logged in the mailbox, your password has been compromised, from a clean PC should change it immediately. It is also important to change absolutely all passwords that have been typed from this infected computer.
Now:
Step 1
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.
Step 2
Delete your current ComboFix copy, download a new fresh one and re-run it. Post the log file in your next reply.
In your next reply, post the following log files:
Now:
Step 1
- Launch Malwarebytes' Anti-Malware
- Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
- Go to Scanner tab and select Perform Quick Scan, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.
Step 2
Delete your current ComboFix copy, download a new fresh one and re-run it. Post the log file in your next reply.
In your next reply, post the following log files:
- Malwarebytes' Anti-Malware log
- ComboFix log
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here 
#23
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 24 June 2012 - 09:54 AM
Maniac,
I backed up all the data on the infected computer yesterday to an external Drive. I'm still running in Safe Mode with Networking in order to use these tools. I had some troble disabling the ESET ,as the Icon is gone< I launched the scannner from the program file and ended it in the Task Manager. If it spoiled the Combo Fix log let me know what to do and I'll do it again.
Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.24.02
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: JIM2-88XVZV9YF [administrator]
Protection: Disabled
6/24/2012 7:06:36 AM
mbam-log-2012-06-24 (07-06-36).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213958
Time elapsed: 3 minute(s), 59 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
ComboFix 12-06-23.06 - Administrator 06/24/2012 7:30.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.591 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\dllcache\wmpvis.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-22 15:01 . 2012-06-22 15:01 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-22 15:01 . 2012-06-22 15:01 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-22 14:54 . 2012-06-22 15:00 -------- d-----w- c:\windows\LastGood
2012-06-20 05:15 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-20 04:52 . 2012-06-20 05:11 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 14:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-06-16 14:29 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-06-16 14:29 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-06-16 14:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-06-13 02:25 . 2012-06-13 02:25 -------- d-----w- c:\program files\Common Files\Java
2012-06-13 02:25 . 2012-06-13 02:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 02:25 . 2012-06-13 02:25 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-30 01:58 . 2012-05-30 02:01 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-29 14:49 . 2012-05-29 14:49 -------- d-----w- c:\program files\Mozilla Maintenance Service
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 02:25 . 2011-01-16 17:12 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-02 22:19 . 2007-06-07 22:42 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2007-06-07 22:42 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2005-01-17 22:26 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2005-01-17 22:26 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2005-01-17 22:26 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-06-07 22:42 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2005-05-26 11:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2005-01-17 22:26 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2005-01-16 20:38 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2002-09-03 19:34 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2007-06-07 22:42 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2005-01-17 22:26 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2005-01-16 20:38 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:18 . 2010-02-27 15:47 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18 . 2010-02-27 15:47 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18 . 2010-02-27 15:47 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2008-09-13 14:58 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-30 02:01 . 2011-07-16 17:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08 . 2004-08-24 03:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-09-13 14:57 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-09-03 19:42 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-09-13 15:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2008-09-13 14:57 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-09-13 14:57 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-09-13 14:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 22:56 . 2011-05-15 00:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 15:01 . 2012-05-29 14:48 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-20_14.04.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-22 07:44 . 2012-06-02 22:19 45080 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.6.7600.256\wups2.dll
+ 2012-06-22 07:44 . 2012-06-02 22:19 35864 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.6.7600.256\wups.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 35864 c:\windows\system32\dllcache\wups.dll
+ 2005-01-16 20:38 . 2012-06-02 22:19 53784 c:\windows\system32\dllcache\wuauclt.exe
+ 2002-09-03 19:34 . 2012-06-02 22:19 97304 c:\windows\system32\dllcache\cdm.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 210968 c:\windows\system32\dllcache\wuweb.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 329240 c:\windows\system32\dllcache\wucltui.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 577048 c:\windows\system32\dllcache\wuapi.dll
+ 2012-06-22 15:00 . 2012-06-20 04:12 133208 c:\windows\LastGood\system32\DRIVERS\86109906.sys
+ 2012-06-22 14:54 . 2012-06-20 04:12 475736 c:\windows\LastGood\system32\DRIVERS\6801776drv.sys
+ 2012-06-22 14:56 . 2012-06-20 04:12 133208 c:\windows\LastGood\system32\DRIVERS\33722614.sys
+ 2005-01-16 20:38 . 2012-06-02 22:19 1933848 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"frxmxins"="frxmxins" [X]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-12 1468256]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_.lnk - c:\documents and settings\Administrator\Local Settings\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-05-17 02:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]
S2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [1/16/2005 1:59 PM 53248]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2011 5:50 PM 654408]
S2 PPPoEService;PPPoE Service;c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe --> c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/29/2012 6:58 PM 257696]
S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [1/16/2005 1:59 PM 417061]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2011 5:50 PM 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/29/2012 7:49 AM 129976]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-30 02:01]
.
2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\docume~1\Frances\Desktop\OUTLOO~1\msimn.exe"
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ucmmjbyv.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-24 07:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1078081533-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,7d,06,fc,07,f2,c7,43,b4,cd,9f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,7d,06,fc,07,f2,c7,43,b4,cd,9f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2012-06-24 07:37:36
ComboFix-quarantined-files.txt 2012-06-24 14:37
ComboFix2.txt 2012-06-20 14:07
.
Pre-Run: 33,666,752,512 bytes free
Post-Run: 33,780,744,192 bytes free
.
- - End Of File - - D48CBCFC5150DE7ADEAB7EA5014C543C
I backed up all the data on the infected computer yesterday to an external Drive. I'm still running in Safe Mode with Networking in order to use these tools. I had some troble disabling the ESET ,as the Icon is gone< I launched the scannner from the program file and ended it in the Task Manager. If it spoiled the Combo Fix log let me know what to do and I'll do it again.
Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.24.02
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: JIM2-88XVZV9YF [administrator]
Protection: Disabled
6/24/2012 7:06:36 AM
mbam-log-2012-06-24 (07-06-36).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213958
Time elapsed: 3 minute(s), 59 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
ComboFix 12-06-23.06 - Administrator 06/24/2012 7:30.3.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.591 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\dllcache\wmpvis.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-22 15:01 . 2012-06-22 15:01 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll
2012-06-22 15:01 . 2012-06-22 15:01 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll
2012-06-22 14:54 . 2012-06-22 15:00 -------- d-----w- c:\windows\LastGood
2012-06-20 05:15 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-20 04:52 . 2012-06-20 05:11 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-16 14:29 . 2001-08-18 05:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-06-16 14:29 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-06-16 14:29 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-06-16 14:29 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2012-06-13 02:25 . 2012-06-13 02:25 -------- d-----w- c:\program files\Common Files\Java
2012-06-13 02:25 . 2012-06-13 02:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 02:25 . 2012-06-13 02:25 476936 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-30 01:58 . 2012-05-30 02:01 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-29 14:49 . 2012-05-29 14:49 -------- d-----w- c:\program files\Mozilla Maintenance Service
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 02:25 . 2011-01-16 17:12 472840 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-02 22:19 . 2007-06-07 22:42 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2007-06-07 22:42 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2005-01-17 22:26 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2005-01-17 22:26 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2005-01-17 22:26 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-06-07 22:42 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2005-05-26 11:16 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2005-01-17 22:26 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2005-01-16 20:38 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2002-09-03 19:34 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2007-06-07 22:42 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2005-01-17 22:26 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2005-01-16 20:38 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:18 . 2010-02-27 15:47 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18 . 2010-02-27 15:47 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18 . 2010-02-27 15:47 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2008-09-13 14:58 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-30 02:01 . 2011-07-16 17:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-16 15:08 . 2004-08-24 03:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2008-09-13 14:57 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2002-09-03 19:42 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2002-09-03 19:40 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-09-13 15:00 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12 . 2008-09-13 14:57 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2008-09-13 14:57 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-09-13 14:57 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-04 22:56 . 2011-05-15 00:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-22 15:01 . 2012-05-29 14:48 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-06-20_14.04.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-06-22 07:44 . 2012-06-02 22:19 45080 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.6.7600.256\wups2.dll
+ 2012-06-22 07:44 . 2012-06-02 22:19 35864 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.6.7600.256\wups.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 35864 c:\windows\system32\dllcache\wups.dll
+ 2005-01-16 20:38 . 2012-06-02 22:19 53784 c:\windows\system32\dllcache\wuauclt.exe
+ 2002-09-03 19:34 . 2012-06-02 22:19 97304 c:\windows\system32\dllcache\cdm.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 210968 c:\windows\system32\dllcache\wuweb.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 329240 c:\windows\system32\dllcache\wucltui.dll
+ 2005-01-17 22:26 . 2012-06-02 22:19 577048 c:\windows\system32\dllcache\wuapi.dll
+ 2012-06-22 15:00 . 2012-06-20 04:12 133208 c:\windows\LastGood\system32\DRIVERS\86109906.sys
+ 2012-06-22 14:54 . 2012-06-20 04:12 475736 c:\windows\LastGood\system32\DRIVERS\6801776drv.sys
+ 2012-06-22 14:56 . 2012-06-20 04:12 133208 c:\windows\LastGood\system32\DRIVERS\33722614.sys
+ 2005-01-16 20:38 . 2012-06-02 22:19 1933848 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"frxmxins"="frxmxins" [X]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-10 169328]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-12 1468256]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2010-08-12 2215064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_.lnk - c:\documents and settings\Administrator\Local Settings\temp\_uninst_.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-05-17 02:24 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 1:31 PM 115008]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Frances\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [8/12/2010 2:16 PM 810144]
S2 FGLRXUtil;FGLRXUTIL;c:\windows\system32\frxhser.exe [1/16/2005 1:59 PM 53248]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/14/2011 5:50 PM 654408]
S2 PPPoEService;PPPoE Service;c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe --> c:\progra~1\NTS\ENTERN~1\app\pppoeservice.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/29/2012 6:58 PM 257696]
S3 atifglrx;atifglrx;c:\windows\system32\drivers\fglrxm.sys [1/16/2005 1:59 PM 417061]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/14/2011 5:50 PM 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/29/2012 7:49 AM 129976]
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-30 02:01]
.
2012-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = "c:\docume~1\Frances\Desktop\OUTLOO~1\msimn.exe"
TCP: DhcpNameServer = 192.168.1.254
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ucmmjbyv.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-24 07:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1078081533-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,7d,06,fc,07,f2,c7,43,b4,cd,9f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,7d,06,fc,07,f2,c7,43,b4,cd,9f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
Completion time: 2012-06-24 07:37:36
ComboFix-quarantined-files.txt 2012-06-24 14:37
ComboFix2.txt 2012-06-20 14:07
.
Pre-Run: 33,666,752,512 bytes free
Post-Run: 33,780,744,192 bytes free
.
- - End Of File - - D48CBCFC5150DE7ADEAB7EA5014C543C
#24
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 10:29 AM
Use Normal mode and:
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#25
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 24 June 2012 - 11:54 AM
I realized that there was a Combo Fix still installed in a different place, after I sent you the last CF log. If you want me to delete both and rerun it let me know. Here's the new Avast log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-24 08:53:30
-----------------------------
08:53:30.219 OS Version: Windows 5.1.2600 Service Pack 3
08:53:30.219 Number of processors: 1 586 0x207
08:53:30.219 ComputerName: JIM2-88XVZV9YF UserName: Frances
08:53:31.360 Initialize success
08:58:26.141 AVAST engine defs: 12062400
09:00:13.876 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:00:13.876 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
09:00:13.891 Disk 0 MBR read successfully
09:00:13.891 Disk 0 MBR scan
09:00:13.954 Disk 0 Windows XP default MBR code
09:00:13.969 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
09:00:13.985 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76277 MB offset 64260
09:00:13.985 Disk 0 scanning sectors +156280320
09:00:14.063 Disk 0 scanning C:\WINDOWS\system32\drivers
09:00:40.048 Service scanning
09:01:03.235 Modules scanning
09:01:12.094 Disk 0 trace - called modules:
09:01:12.126 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
09:01:12.641 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87390ab8]
09:01:12.641 3 CLASSPNP.SYS[f7821fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x873a8d98]
09:01:13.704 AVAST engine scan C:\WINDOWS
09:01:52.673 AVAST engine scan C:\WINDOWS\system32
09:05:21.907 AVAST engine scan C:\WINDOWS\system32\drivers
09:05:44.438 AVAST engine scan C:\Documents and Settings\Frances
09:47:15.126 AVAST engine scan C:\Documents and Settings\All Users
09:48:26.813 Scan finished successfully
09:50:30.126 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Frances\Desktop\MBR.dat"
09:50:30.126 The log file has been saved successfully to "C:\Documents and Settings\Frances\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-24 08:53:30
-----------------------------
08:53:30.219 OS Version: Windows 5.1.2600 Service Pack 3
08:53:30.219 Number of processors: 1 586 0x207
08:53:30.219 ComputerName: JIM2-88XVZV9YF UserName: Frances
08:53:31.360 Initialize success
08:58:26.141 AVAST engine defs: 12062400
09:00:13.876 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:00:13.876 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
09:00:13.891 Disk 0 MBR read successfully
09:00:13.891 Disk 0 MBR scan
09:00:13.954 Disk 0 Windows XP default MBR code
09:00:13.969 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
09:00:13.985 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76277 MB offset 64260
09:00:13.985 Disk 0 scanning sectors +156280320
09:00:14.063 Disk 0 scanning C:\WINDOWS\system32\drivers
09:00:40.048 Service scanning
09:01:03.235 Modules scanning
09:01:12.094 Disk 0 trace - called modules:
09:01:12.126 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
09:01:12.641 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87390ab8]
09:01:12.641 3 CLASSPNP.SYS[f7821fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x873a8d98]
09:01:13.704 AVAST engine scan C:\WINDOWS
09:01:52.673 AVAST engine scan C:\WINDOWS\system32
09:05:21.907 AVAST engine scan C:\WINDOWS\system32\drivers
09:05:44.438 AVAST engine scan C:\Documents and Settings\Frances
09:47:15.126 AVAST engine scan C:\Documents and Settings\All Users
09:48:26.813 Scan finished successfully
09:50:30.126 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Frances\Desktop\MBR.dat"
09:50:30.126 The log file has been saved successfully to "C:\Documents and Settings\Frances\Desktop\aswMBR.txt"
#26
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 12:40 PM
No, thanks.
How are things in normal mode?
How are things in normal mode?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#27
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 24 June 2012 - 12:48 PM
Well, there are no obvious problems again.
I read your links about being hacked and as I said, I backed up Drive C as much as I could. Every time I've run a Kapersky Scan some files are ignored as password protected on and that could be real, or a hidden trojan, I guess.
Plus Anything that was there is also in external Backup drive E now.
My wife has been changing passwords on another computer including email.
I read your links about being hacked and as I said, I backed up Drive C as much as I could. Every time I've run a Kapersky Scan some files are ignored as password protected on and that could be real, or a hidden trojan, I guess.
Plus Anything that was there is also in external Backup drive E now.
My wife has been changing passwords on another computer including email.
#28
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 12:54 PM
If there are any doubts, you can check them by uploading a file in www.virustotal.com .
So now moving on to formatting?
So now moving on to formatting?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#29
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 24 June 2012 - 01:14 PM
Well, My wife and I have been talking about the email here and the file sizes are bigger than what virustotal.com will take. We were talking about whether we should make separate folders with the most important emails and scan those.
I was reading the virustotal.com site and it seem like you might be able to buy it and scan bigger files. But I don't see how to do that on the site. seems like you have to contact them and get a price.
The problem is based on what you had me read about being hacked I'm concerned about every email and every file, But I can't submit them all.
Are there particular areas that look suspicious to you? Or places that Backdoor Trojans usually hide that I could upload whole folders? I've seen that it keeps regenerating into the temp file but some other location is causing that.
Anyway, I can reorganize some emails folders and scan them at virustotal.com or we can proceed with the reformat. Let me know what you think is best?
I was reading the virustotal.com site and it seem like you might be able to buy it and scan bigger files. But I don't see how to do that on the site. seems like you have to contact them and get a price.
The problem is based on what you had me read about being hacked I'm concerned about every email and every file, But I can't submit them all.
Are there particular areas that look suspicious to you? Or places that Backdoor Trojans usually hide that I could upload whole folders? I've seen that it keeps regenerating into the temp file but some other location is causing that.
Anyway, I can reorganize some emails folders and scan them at virustotal.com or we can proceed with the reformat. Let me know what you think is best?
#30
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 01:16 PM
I don't think that there is a backdoor there, but my suggestion is to proceed with format.
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#32
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 01:40 PM
Do you still need my help?
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#33
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 24 June 2012 - 01:45 PM
I was thinking I might. I guess you're saying proceed with info on the "What to do when you've been hacked" webpages. What's the first step to wipe out Drive C? Or does installing Windows 7 over Windows XP do that anyway?
#34
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 01:54 PM
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#35
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 24 June 2012 - 02:09 PM
Ok, Later, today I will put Windows 7 on.
I assume I would disconnect drive E, the suspicious Back drive prior to doing that? After putting Windows & on reinstalling Eset and Malwarbytes would you suggest adding anything else?
And if so is there something powerful enough to kill leftover infections in Drive E other than Virustotal.com?
Does Windows 7 have better prevention of Backdor trojans or Rootkit corruptions?
I assume I would disconnect drive E, the suspicious Back drive prior to doing that? After putting Windows & on reinstalling Eset and Malwarbytes would you suggest adding anything else?
And if so is there something powerful enough to kill leftover infections in Drive E other than Virustotal.com?
Does Windows 7 have better prevention of Backdor trojans or Rootkit corruptions?
#36
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 24 June 2012 - 02:23 PM
Quote
I assume I would disconnect drive E, the suspicious Back drive prior to doing that?
It is important to do.
Quote
After putting Windows & on reinstalling Eset and Malwarbytes would you suggest adding anything else?
Good suggestions here:
http://forums.malwar...=0
Quote
And if so is there something powerful enough to kill leftover infections in Drive E other than Virustotal.com?
VirusTotal is only for your information, he can't do anything on your operating system. When you reinstall and install your security software, scan the partition E:\, to check once more if everything is okay.
Quote
Does Windows 7 have better prevention of Backdor trojans or Rootkit corruptions?
Windows 7 has a much better security protection than the previous Windows OS. Take a look here:
http://www.microsoft...y/windows7.aspx
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
#37
CaseyJ000
-
- Members
-
- 38 posts
New Member
Posted 26 June 2012 - 09:44 PM
Hi Maniac, This is an Eset scan of our backup drive it didn't detect anything. what do you think? I think some old adware scanners got backed up plus at least one antiVirus we were working with. This computer is on Windows 7 now.
#38
CaseyJ000
-
- Members
-
- 38 posts
New Member
#39
Maniac
-
- Experts
-
- 17,454 posts
Forum Deity
- Gender:Male
- Location:Bulgaria, EU
Posted 27 June 2012 - 03:56 AM
Everything looks good. 
My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
