Full Version: Can only start in Safe Mode NEED HELP PLEASE
Seriously infected! MWB and HJT will not start and my virus software is affected. Was able to stop UAC.exe then Windows Police Pro took over. Disabled internet connection and virus software automatically blocked a buffer overflow C:\windows\system32\services.exe then virus software blocked and removed FakeAlert-DZ trojan windows\system32\bezuyiza.exe and safe thing with zdekare.exe Then got message that services.exe terminated unexpectedly and system was being shutdown and restarted by NT Authority/System status code 1073741819. Now system will only start in Safe Mode. If I try to access system restore message says it has been turned off by group policy? Please help. Thanks!
Welcome to Malwarebytes!!!! 
Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks
Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks
Thank you SO much for your help. I downloaded the file and am attaching the log.
Thanks again!
Drew
Thanks again!
Drew
Okay good that's explains a lot.
1. Please download The Avenger2 by Swandog46 to your Desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
4. The Avenger will automatically do the following:
=============================================================
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3
--------------------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
1. Please download The Avenger2 by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
CODE
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
=============================================================
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3
--------------------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
When Avenger rebooted went to blue screen and was forced to hard reset. When windows loaded Total Security took over the system. Was able to download and run Avenger and have attached the txt file. Combo Fix will not run. 
What now????
What now????
Found instructions by Advanced Setup on how to kill Total Security. 
Downloaded Process Explorer and killed 12498237.exe process
Total Security Disappeared from Systray and popups stopped.
After several attempts ComboFix ran and completed. Logs attached.
HJT still will not run "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
Reinstalled Malwarebytes and ran quickscan. Logs attached.
Ever so appreciative of your help! Love this forum (=
Downloaded Process Explorer and killed 12498237.exe process
Total Security Disappeared from Systray and popups stopped.
After several attempts ComboFix ran and completed. Logs attached.
HJT still will not run "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
Reinstalled Malwarebytes and ran quickscan. Logs attached.
Ever so appreciative of your help! Love this forum (=
Download the attached file CFScript.txt to your Desktop
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!
=============================================
"%userprofile%\desktop\win32kdiag.exe" -f -r
==============================================
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
Click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View report... at the bottom. Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!
=============================================
- Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
- When it's finished, there will be a log called Win32kDiag.txt on your desktop.
- Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
==============================================
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner
1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
- Once the update is complete, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
Ran ComboFix as instructed with CFScript.
To run ComboFix couldn't disable McAfee virus. Noticed it was not scanning. Scheduled to run daily but has not scanned since 9/18 and could not start a scan. Got error message so I uninstalled McAfee. It was free through ISP but liked AVG better.
ComboFix 09-10-01.05 - Drew 10/02/2009 14:02.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.198 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-02 19:08 . 2009-10-02 19:08 16384 c:\windows\temp\Perflib_Perfdata_650.dat
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-01 01:35 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]
S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -
BHO-{d51f78a4-b4df-406f-9d1e-24c82809d43c} - tugokubu.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 14:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\usrshuta.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-02 14:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 19:11
ComboFix2.txt 2009-10-01 01:33
Pre-Run: 63,608,459,264 bytes free
Post-Run: 63,586,062,336 bytes free
163 --- E O F --- 2009-09-17 22:01
Still cannot get HJT to run. I have tried uninstalling and downloading a fresh copy. Still get error message "Windows cannot access the specified device, path, or file....."
Also ran win32kdiag
Running from: C:\Documents and Settings\Drew\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Drew\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945
Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13F.tmp\ZAP13F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13F.tmp\ZAP13F.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP329.tmp\ZAP329.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP329.tmp\ZAP329.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP406.tmp\ZAP406.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP406.tmp\ZAP406.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D.tmp\ZAP43D.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D.tmp\ZAP43D.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\CAVTemp\CAVTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d1\d1
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d2\d2
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d3\d3
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d4\d4
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d5\d5
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d6\d6
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d7\d7
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d8\d8
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Finished!
Off to run Kaspersky.....
To run ComboFix couldn't disable McAfee virus. Noticed it was not scanning. Scheduled to run daily but has not scanned since 9/18 and could not start a scan. Got error message so I uninstalled McAfee. It was free through ISP but liked AVG better.
ComboFix 09-10-01.05 - Drew 10/02/2009 14:02.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.198 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-02 19:08 . 2009-10-02 19:08 16384 c:\windows\temp\Perflib_Perfdata_650.dat
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-01 01:35 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]
S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -
BHO-{d51f78a4-b4df-406f-9d1e-24c82809d43c} - tugokubu.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 14:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\usrshuta.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-02 14:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-02 19:11
ComboFix2.txt 2009-10-01 01:33
Pre-Run: 63,608,459,264 bytes free
Post-Run: 63,586,062,336 bytes free
163 --- E O F --- 2009-09-17 22:01
Still cannot get HJT to run. I have tried uninstalling and downloading a fresh copy. Still get error message "Windows cannot access the specified device, path, or file....."
Also ran win32kdiag
Running from: C:\Documents and Settings\Drew\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Drew\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945
Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13F.tmp\ZAP13F.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13F.tmp\ZAP13F.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP329.tmp\ZAP329.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP329.tmp\ZAP329.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP406.tmp\ZAP406.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP406.tmp\ZAP406.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D.tmp\ZAP43D.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP43D.tmp\ZAP43D.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\CAVTemp\CAVTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d1\d1
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d2\d2
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d3\d3
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d4\d4
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d5\d5
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d6\d6
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d7\d7
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d8\d8
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Finished!
Off to run Kaspersky.....
Download regsrch.zip to your Desktop.
1. Unzip the contents of RegSrch.zip to a convenient location.
2. Double-click on RegSrch.vbs.
3. If you have an anti-virus installed it might prompt you about a running script.
4. Please ignore this warning and allow the script to run.
5. In the "Enter search string (case insensitive) and click OK..." box, paste this string:
USBDriver
6. Click "OK" to search the registry for that string.
7. Wait for a few minutes while it completes the search.
8. Click "OK" to open the results in WordPad.
9. Copy and paste the entire results into your next post.
1. Unzip the contents of RegSrch.zip to a convenient location.
2. Double-click on RegSrch.vbs.
3. If you have an anti-virus installed it might prompt you about a running script.
4. Please ignore this warning and allow the script to run.
5. In the "Enter search string (case insensitive) and click OK..." box, paste this string:
USBDriver
6. Click "OK" to search the registry for that string.
7. Wait for a few minutes while it completes the search.
8. Click "OK" to open the results in WordPad.
9. Copy and paste the entire results into your next post.
Here is the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 02, 2009 13:17:25
Records in database: 2889641
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 59405
Threats found: 12
Infected objects found: 30
Suspicious objects found: 0
Scan duration: 01:51:54
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\ddqud.exe.vir Infected: Trojan.Win32.Sasfis.iop 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\12793124\12793124.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\lizkavd.exe.vir Infected: Trojan.Win32.FraudPack.udx 1
C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\seres.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fri 1
C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\svcst.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fri 1
C:\Qoobox\Quarantine\C\hxlqib.exe.vir Infected: Backdoor.Win32.Bredavi.jk 1
C:\Qoobox\Quarantine\C\pkusq.exe.vir Infected: Trojan.Win32.Scar.ygu 1
C:\Qoobox\Quarantine\C\Program Files\Protection System\uninstall.exe.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\desot.exe.vir Infected: Trojan.Win32.FraudPack.ulp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\difajowu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\54d82e49.sys.vir Infected: Backdoor.Win32.NewRest.gh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_54d82e49_.sys.zip Infected: Backdoor.Win32.NewRest.gh 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\fimijole.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gafilumu.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hefihiru.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jobavito.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kavumefe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kenahozi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wsnf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lewadiye.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\raferafo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tadebava.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbprpuwjnde.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbqbiouojwu.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACltmwmpjcrt.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\venaluwe.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yizodonu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\yhjj.exe.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\zugowuva.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
Selected area has been scanned.
Next performing RegSrch.vbs
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 02, 2009 13:17:25
Records in database: 2889641
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 59405
Threats found: 12
Infected objects found: 30
Suspicious objects found: 0
Scan duration: 01:51:54
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\ddqud.exe.vir Infected: Trojan.Win32.Sasfis.iop 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\12793124\12793124.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\lizkavd.exe.vir Infected: Trojan.Win32.FraudPack.udx 1
C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\seres.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fri 1
C:\Qoobox\Quarantine\C\Documents and Settings\Drew\Application Data\svcst.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fri 1
C:\Qoobox\Quarantine\C\hxlqib.exe.vir Infected: Backdoor.Win32.Bredavi.jk 1
C:\Qoobox\Quarantine\C\pkusq.exe.vir Infected: Trojan.Win32.Scar.ygu 1
C:\Qoobox\Quarantine\C\Program Files\Protection System\uninstall.exe.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\desot.exe.vir Infected: Trojan.Win32.FraudPack.ulp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\difajowu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\54d82e49.sys.vir Infected: Backdoor.Win32.NewRest.gh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_54d82e49_.sys.zip Infected: Backdoor.Win32.NewRest.gh 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\fimijole.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gafilumu.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hefihiru.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jobavito.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kavumefe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kenahozi.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.wsnf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lewadiye.dll.tmp.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\raferafo.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tadebava.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbprpuwjnde.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbqbiouojwu.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACltmwmpjcrt.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\venaluwe.exe.vir Infected: Packed.Win32.Krap.x 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\yizodonu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\yhjj.exe.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\WINDOWS\system32\zugowuva.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 1
Selected area has been scanned.
Next performing RegSrch.vbs
Results of RegSrch:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "USBDriver" 10/2/2009 5:10:07 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000]
"Service"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000]
"DeviceDesc"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000\Control]
"ActiveService"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver]
"DisplayName"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\Enum]
"0"="Root\\legacy_usbdriver\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver\0000]
"Service"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver\0000]
"DeviceDesc"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver]
"DisplayName"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver\parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver\security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000]
"Service"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000]
"DeviceDesc"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000\Control]
"ActiveService"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]
"DisplayName"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]
"0"="Root\\legacy_usbdriver\\0000"
Did I mention that Windows Security Center is now telling me that Automatic Updates is OFF, however, if I go into the System Properties and check Automatic Updates is set to download automatically?
THANKS AGAIN for all the help!
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "USBDriver" 10/2/2009 5:10:07 PM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000]
"Service"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000]
"DeviceDesc"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\legacy_usbdriver\0000\Control]
"ActiveService"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver]
"DisplayName"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver\Enum]
"0"="Root\\legacy_usbdriver\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver\0000]
"Service"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\legacy_usbdriver\0000]
"DeviceDesc"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver]
"DisplayName"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver\parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver\security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000]
"Service"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000]
"DeviceDesc"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\legacy_usbdriver\0000\Control]
"ActiveService"="usbdriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]
"DisplayName"="USBDriver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]
"0"="Root\\legacy_usbdriver\\0000"
Did I mention that Windows Security Center is now telling me that Automatic Updates is OFF, however, if I go into the System Properties and check Automatic Updates is set to download automatically?
THANKS AGAIN for all the help!
Go to Start ---> Run----> Type regedit and press enter
Navigate to the following key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
Right-click on the key
Choose Export.
Save it as export.txt to your desktop
Make sure save type as is .reg
In your next reply, please post the contents of the export. If its to large, just attach it. Thanks
Navigate to the following key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service
Right-click on the key
Choose Export.
Save it as export.txt to your desktop
Make sure save type as is .reg
In your next reply, please post the contents of the export. If its to large, just attach it. Thanks
There is not a "service" listed.
There is "ServiceModelEndpoint 3.0.0.0"
"ServiceModelOperation 3.0.0.0"
"ServiceModelService 3.0.0.0"
??
There is "ServiceModelEndpoint 3.0.0.0"
"ServiceModelOperation 3.0.0.0"
"ServiceModelService 3.0.0.0"
??
That was my fault.
this is the key i want exported.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver
this is the key i want exported.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver
Here it is:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="USBDriver"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,67,00,\
70,00,77,00,78,00,69,00,6c,00,76,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]
"0"="Root\\legacy_usbdriver\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Thanks
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="USBDriver"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,67,00,\
70,00,77,00,78,00,69,00,6c,00,76,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver\Enum]
"0"="Root\\legacy_usbdriver\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Thanks
good finally got some more information. I'll be back with a post.
Open notepad and copy/paste the text in the codebox below into it:
Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop.
Please upload that file here --> http://www.bleepingcomputer.com/submit-mal....php?channel=70
CODE
@echo off
for %%g in (
"C:\WINDOWS\system32\tgpwxilv.dll"
) do zip Files_for_submission %%g
del %0
for %%g in (
"C:\WINDOWS\system32\tgpwxilv.dll"
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run
A file, Files_for_submission.zip will be created on your desktop.
Please upload that file here --> http://www.bleepingcomputer.com/submit-mal....php?channel=70
The grab bat file disappeared when I clicked on it. How long should it take for the other file to appear? 
There is nothing called Files for submission.zip on your desktop?
Note: You may need to unhide hidden files and folders.
Configure Windows XP to show hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
If the file isn't on your desktop, please search for it.
C:\WINDOWS\system32\tgpwxilv.dll
Configure Windows XP to show hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
If the file isn't on your desktop, please search for it.
C:\WINDOWS\system32\tgpwxilv.dll
Search is complete. There are no results to display???
Download the attached file CFScript.txt to your Desktop
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!
I"m going to ask a couple of other experts because something else looks suspicious.
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!
I"m going to ask a couple of other experts because something else looks suspicious.
Here is ComboFix log
Windows Security now recognizes that my Automatic Updates is turned on
ComboFix 09-10-01.05 - Drew 10/03/2009 15:49.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.225 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.
2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi
+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]
S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 15:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-03 15:55
ComboFix-quarantined-files.txt 2009-10-03 20:55
ComboFix2.txt 2009-10-02 19:11
ComboFix3.txt 2009-10-01 01:33
Pre-Run: 63,346,073,600 bytes free
Post-Run: 63,399,084,032 bytes free
177 --- E O F --- 2009-10-03 17:00
Windows Security now recognizes that my Automatic Updates is turned on
ComboFix 09-10-01.05 - Drew 10/03/2009 15:49.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.225 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.
2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi
+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]
S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 15:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(4036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-03 15:55
ComboFix-quarantined-files.txt 2009-10-03 20:55
ComboFix2.txt 2009-10-02 19:11
ComboFix3.txt 2009-10-01 01:33
Pre-Run: 63,346,073,600 bytes free
Post-Run: 63,399,084,032 bytes free
177 --- E O F --- 2009-10-03 17:00
HJT still will not run? Should I attempt to download it from another source?
Gotta get a shower and get ready to go out to dinner....daughter's 20th birthday....
Please delete your copy of Combofix
Download a fresh version from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
=========================================================
Download the attached file CFScript.txt to your Desktop
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!
Download a fresh version from here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
=========================================================
Download the attached file CFScript.txt to your Desktop
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!
Hello!
Deleted ComboFix and HiJackThis then rebooted the computer.
Dowloaded fresh copy of Combo Fix and ran as instructed. The logs follow.
I then downloaded a fresh copy of HiJackThis from the Malwarebytes link.
HJT still gives the error message.
ComboFix 09-10-04.01 - Drew 10/04/2009 15:32.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.63 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.
2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi
+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]
S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 15:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\usrshuta.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-10-04 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 20:43
ComboFix2.txt 2009-10-03 20:55
ComboFix3.txt 2009-10-02 19:11
ComboFix4.txt 2009-10-01 01:33
Pre-Run: 63,405,166,592 bytes free
Post-Run: 63,359,434,752 bytes free
190 --- E O F --- 2009-10-03 17:00
Thanks for your help!
Deleted ComboFix and HiJackThis then rebooted the computer.
Dowloaded fresh copy of Combo Fix and ran as instructed. The logs follow.
I then downloaded a fresh copy of HiJackThis from the Malwarebytes link.
HJT still gives the error message.
ComboFix 09-10-04.01 - Drew 10/04/2009 15:32.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.63 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.
2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 01:09 . 2009-07-01 01:08 50688 --sha-w- c:\windows\system32\zugowuva.dll
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi
+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S0 seua;seua;c:\windows\system32\drivers\nnskip.sys --> c:\windows\system32\drivers\nnskip.sys [?]
S2 usbdriver;USBDriver;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
USBDriver
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 15:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\usrshuta.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-10-04 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 20:43
ComboFix2.txt 2009-10-03 20:55
ComboFix3.txt 2009-10-02 19:11
ComboFix4.txt 2009-10-01 01:33
Pre-Run: 63,405,166,592 bytes free
Post-Run: 63,359,434,752 bytes free
190 --- E O F --- 2009-10-03 17:00
Thanks for your help!
For some reason the cfscript isn't getting through some how.
Lets try another way.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Lets try another way.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
CODE
File::
c:\windows\system32\drivers\nnskip.sys
c:\windows\system32\zugowuva.dll
C:\WINDOWS\system32\tgpwxilv.dll
Driver::
usbdriver
seua
NetSvc::
USBDriver
c:\windows\system32\drivers\nnskip.sys
c:\windows\system32\zugowuva.dll
C:\WINDOWS\system32\tgpwxilv.dll
Driver::
usbdriver
seua
NetSvc::
USBDriver
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
New Combo-Fix Log.....did it work?
ComboFix 09-10-04.01 - Drew 10/04/2009 22:22.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.226 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FILE ::
"c:\windows\system32\drivers\nnskip.sys"
"c:\windows\system32\tgpwxilv.dll"
"c:\windows\system32\zugowuva.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\zugowuva.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_usbdriver
-------\Service_seua
-------\Service_usbdriver
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.
2009-10-04 21:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 21:01 . 2009-10-04 21:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-04 21:01 . 2009-10-04 21:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-05 03:29 . 2009-10-05 03:29 16384 c:\windows\temp\Perflib_Perfdata_68c.dat
+ 2009-10-04 21:00 . 2008-04-14 00:11 21504 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hidserv.dll
+ 2006-11-02 12:22 . 2006-11-02 12:22 32224 c:\windows\system32\drivers\wdfldr.sys
+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-05-09 06:14 . 2009-05-09 06:14 14736 c:\windows\system32\drivers\nuidfltr.sys
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2006-11-02 12:22 . 2006-11-02 12:22 492000 c:\windows\system32\drivers\wdf01000.sys
+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi
+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-05-09 06:14 . 2009-05-09 06:14 1418120 c:\windows\system32\wdfcoinstaller01005.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 22:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\usrshuta.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2009-10-05 22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 03:32
ComboFix2.txt 2009-10-04 20:43
ComboFix3.txt 2009-10-03 20:55
ComboFix4.txt 2009-10-02 19:11
ComboFix5.txt 2009-10-05 03:19
Pre-Run: 63,339,827,200 bytes free
Post-Run: 63,294,427,136 bytes free
208 --- E O F --- 2009-10-04 21:01
Thanks!
ComboFix 09-10-04.01 - Drew 10/04/2009 22:22.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.226 [GMT -5:00]
Running from: c:\documents and settings\Drew\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Drew\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FILE ::
"c:\windows\system32\drivers\nnskip.sys"
"c:\windows\system32\tgpwxilv.dll"
"c:\windows\system32\zugowuva.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\zugowuva.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_usbdriver
-------\Service_seua
-------\Service_usbdriver
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.
2009-10-04 21:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-10-02 22:26 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-02 22:26 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-02 22:26 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-02 22:26 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\program files\Avira
2009-10-02 22:26 . 2009-10-02 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\documents and settings\Drew\Application Data\AVG8
2009-09-25 17:11 . 2009-09-25 17:11 -------- d-----w- c:\program files\Trend Micro
2009-09-25 17:03 . 2009-09-25 17:03 0 ----a-w- c:\documents and settings\Drew\settings.dat
2009-09-22 22:37 . 2009-09-22 22:37 -------- d-sh--w- c:\documents and settings\Drew\IECompatCache
2009-09-18 13:43 . 2009-09-18 13:43 -------- d-sh--w- c:\documents and settings\Drew\PrivacIE
2009-09-17 17:48 . 2009-09-17 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-17 14:10 . 2009-09-17 14:10 -------- d-sh--w- c:\documents and settings\Drew\IETldCache
2009-09-17 14:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-17 14:02 . 2009-09-17 14:03 -------- d-----w- c:\windows\ie8updates
2009-09-17 14:01 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-17 14:01 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-17 13:58 . 2009-09-17 14:01 -------- dc-h--w- c:\windows\ie8
2009-09-10 14:38 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 21:01 . 2009-10-04 21:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-04 21:01 . 2009-10-04 21:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-02 18:59 . 2009-01-21 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 13:05 . 2009-01-22 17:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-01 18:19 . 2008-01-27 22:39 -------- d-----w- c:\documents and settings\Drew\Application Data\U3
2009-10-01 01:40 . 2009-06-05 14:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 15:37 . 2006-10-16 13:22 -------- d-----w- c:\program files\Java
2009-09-10 19:54 . 2009-06-05 14:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-05 14:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 13:02 . 2006-10-16 13:33 126096 ----a-w- c:\documents and settings\Drew\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-25 15:06 . 2008-01-06 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-02 17:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 18:44 . 2009-01-21 14:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 18:44 . 2009-01-21 14:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 18:44 . 2009-01-21 14:51 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 18:43 . 2009-01-21 14:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-10-01_01.28.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-05 03:29 . 2009-10-05 03:29 16384 c:\windows\temp\Perflib_Perfdata_68c.dat
+ 2009-10-04 21:00 . 2008-04-14 00:11 21504 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\hidserv.dll
+ 2006-11-02 12:22 . 2006-11-02 12:22 32224 c:\windows\system32\drivers\wdfldr.sys
+ 2009-10-02 22:26 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-05-09 06:14 . 2009-05-09 06:14 14736 c:\windows\system32\drivers\nuidfltr.sys
+ 2006-10-16 13:16 . 2009-10-02 17:40 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-16 13:16 . 2009-09-28 00:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2006-11-02 12:22 . 2006-11-02 12:22 492000 c:\windows\system32\drivers\wdf01000.sys
+ 2009-10-02 22:23 . 2009-10-02 22:23 228352 c:\windows\Installer\a50784.msi
+ 2009-10-03 17:00 . 2009-10-03 17:00 195584 c:\windows\Installer\3612da.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-05-09 06:14 . 2009-05-09 06:14 1418120 c:\windows\system32\wdfcoinstaller01005.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe" [2004-08-04 77891]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2005-07-13 49152]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-16 90112]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer WLAN 11g USB Dongle.lnk - c:\program files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-16 745472]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-12-11 221247]
Belkin Wireless Utility.lnk - c:\program files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe [2005-8-18 1388544]
Scanner File Utility.lnk - c:\program files\Kyocera\FileUtility\NsCatCom.exe [2008-1-28 327680]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kyocera\\FileUtility\\NsCatCom.exe"=
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/2/2009 5:26 PM 108289]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\BLKWGD.sys [1/28/2008 1:49 PM 463872]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 22:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\user preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,be,af,f7,ae,f1,e2,0e,4c,a5,e7,1e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\usrshuta.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2009-10-05 22:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 03:32
ComboFix2.txt 2009-10-04 20:43
ComboFix3.txt 2009-10-03 20:55
ComboFix4.txt 2009-10-02 19:11
ComboFix5.txt 2009-10-05 03:19
Pre-Run: 63,339,827,200 bytes free
Post-Run: 63,294,427,136 bytes free
208 --- E O F --- 2009-10-04 21:01
Thanks!
How is everything running??
Everything seems to be working okay now. I can access Task Manager and User Accounts again.
Think we are okay!
Really, really appreciate all of your help!
Think we are okay!
Really, really appreciate all of your help!
Go to Start ---> Run ---> Type "%userprofile%\desktop\Combo-Fix.exe" /u and press enter.
Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.
To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.
======================================
Here is some useful information on keeping your computer clean:
Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.
To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.
======================================
Here is some useful information on keeping your computer clean:
- Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
- Here are two great Preventive programs
- SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
- Anti-Spyware Programs I Recommend:
- Free Anti-Spyware Programs
- MalwareBytes Anti-Malware
- For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place
Thank you so much for all the help and the advice. I really thought I was doomed to reformat and start over. Really appreciate these forums. Wish I had found them before.
ShaKyMom
ShaKyMom
Your Welcome
If I may ask....
I am trying to implement preventative measures. I have reformated my daughter's laptop and this computer multiple times prior to discovering this forum. These two seem more prone to acquiring bad stuff.
Both have up to date virus software (I changed this one to Avira), I have installed malwarebytes and spywareblaster now.
Some where in all of this reading, I read where some purchased version of a software would protect from drive by malware. My thoughts are they are acquiring bad stuff from either the social networks they are frequenting or the online games they are playing.
What would you suggest as protection from "catching something" on these sites?
Thanks so much for your advice.
I am trying to implement preventative measures. I have reformated my daughter's laptop and this computer multiple times prior to discovering this forum. These two seem more prone to acquiring bad stuff.
Both have up to date virus software (I changed this one to Avira), I have installed malwarebytes and spywareblaster now.
Some where in all of this reading, I read where some purchased version of a software would protect from drive by malware. My thoughts are they are acquiring bad stuff from either the social networks they are frequenting or the online games they are playing.
What would you suggest as protection from "catching something" on these sites?
Thanks so much for your advice.
Keeping them away from P2P networking sites is a most, but didn't see any of those in your logs. That is good.
Make sure your Java Runtime is up to date, Adobe Acrobat Reader and adobe flash is up to date. A lot of malware is being installed because of old versions of those three programs. Surfing with IE8 or Firefox is a most. Purchasing a paid version of Malwarebytes will place an additional web of protection too. I'm not just trying to promote Mbam, but there protection module has some really good features.
Make sure your Java Runtime is up to date, Adobe Acrobat Reader and adobe flash is up to date. A lot of malware is being installed because of old versions of those three programs. Surfing with IE8 or Firefox is a most. Purchasing a paid version of Malwarebytes will place an additional web of protection too. I'm not just trying to promote Mbam, but there protection module has some really good features.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.