Jump to content

VujaDe

Honorary Members
  • Posts

    34
  • Joined

  • Last visited

Reputation

0 Neutral

Profile Information

  • Location
    Texas
  1. Sorry, Borislav! I got very sick and stopped working on her computer. I did uninstall Avast and reinstall but it's still not updating. I get a server error each time it tries to download the update. I do appreciate all your help.
  2. Avast still won't update. I get a server connection error. Would it help to uninstall and reinstall?
  3. ESET Scanner log: ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6425 # api_version=3.0.2 # EOSSerial=a74c21c7783ee84f95c25e6f5eaae765 # end=stopped # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2011-03-03 04:50:05 # local_time=2011-03-02 10:50:05 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=768 16777215 100 0 1399449 1399449 0 0 # compatibility_mode=6143 16777215 0 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=118912 # found=7 # cleaned=7 # scan_time=5771 C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\58\2ec82cba-28023116 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\[8]-Submit_2011-02-21_10.44.08.zip Win32/Adware.Virtumonde.NHD application (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\nvrstrz.dll.vir Win32/Adware.Virtumonde.NHD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP13\A0001102.dll Win32/Adware.Virtumonde.NHD application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP8\A0000209.exe a variant of Win32/AdInstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C D:\I386\APPS\APP11710\src\CompaqPresario_Spring06.exe a variant of Win32/AdInstaller application (deleted - quarantined) 00000000000000000000000000000000 C D:\I386\APPS\APP11710\src\HPPavillion_Spring06.exe a variant of Win32/AdInstaller application (deleted - quarantined) 00000000000000000000000000000000 C
  4. I'm not longer having any pop ups or redirects but the Avast update won't connect to the servers. Not sure if that's a problem with Avast or the virus we were dealing with. Everything else seems to be working well.
  5. ComboFix Log: ComboFix 11-02-24.05 - Compaq_Administrator 02/25/2011 15:56:58.4.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1420 [GMT -6:00] Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} FILE :: "c:\windows\system32\nvrstrz.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\documents and settings\Compaq_Administrator\Local Settings\temp\IadHide5.dll c:\windows\system32\nvrstrz.dll . ((((((((((((((((((((((((( Files Created from 2011-01-25 to 2011-02-25 ))))))))))))))))))))))))))))))) . 2011-02-23 00:07 . 2011-02-23 00:07 -------- d-----w- c:\program files\iPod 2011-02-13 23:30 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-02-13 23:30 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-02-13 23:30 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-02-13 23:30 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-02-13 23:30 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-02-13 23:30 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-02-13 23:30 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-02-13 23:29 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr 2011-02-13 23:29 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe 2011-02-13 23:29 . 2011-02-13 23:29 -------- d-----w- c:\program files\Alwil Software 2011-02-13 23:29 . 2011-02-13 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2011-02-13 18:48 . 2011-02-13 18:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-02-13 18:21 . 2011-02-13 18:21 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-02-11 06:01 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{50C4EBB6-D385-4429-933D-00718E4CF1C8}\mpengine.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-09 21:00 439296 ------w- c:\windows\system32\shimgvw.dll 2011-01-13 09:41 . 2007-08-20 02:29 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2011-01-07 14:09 . 2004-08-09 21:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2004-08-09 21:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2004-08-09 21:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-21 00:09 . 2010-06-20 21:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-21 00:08 . 2010-06-20 21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-20 22:15 . 2004-08-09 21:00 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15 . 2004-08-09 21:00 61952 ------w- c:\windows\system32\tdc.ocx 2010-12-20 22:15 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll 2010-12-20 17:26 . 2004-08-09 21:00 730112 ------w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30 . 2004-08-09 21:00 369664 ------w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2004-08-10 04:00 718336 ------w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll 2010-12-09 13:38 . 2006-11-06 09:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2006-11-06 09:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "nwiz"="nwiz.exe" [2006-01-24 1519616] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-4-26 27136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-4-26 36903] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/13/2011 5:30 PM 294608] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/13/2011 5:30 PM 17744] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?] S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] . Contents of the 'Scheduled Tasks' folder 2011-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50] 2011-02-25 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] . . ------- Supplementary Scan ------- . uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\8n61yx1z.default\ FF - prefs.js: browser.search.selectedEngine - MyWebSearch FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLfox000&fl=0&ptb=_vFd3yNDoZAV3KOBzBiWag&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor= FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-25 16:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{399560AD-16A1-1C42-B8ABCDA82BB95BD1}\{612A140D-0F00-4178-3873E27B58551793}\{AE627BFA-B567-4F9A-57DD34442A0D5150}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFB1E792-937C-2E2C-B503416C70313BBE}\{BD69B123-9CB2-AD51-2CEEB02A3D233088}\{35363435-F6CB-3D47-CEABC35649A0E9E6}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\windows\arservice.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\windows\ehome\mcrdsvc.exe c:\windows\RTHDCPL.EXE c:\windows\ARPWRMSG.EXE c:\windows\system32\dllhost.exe c:\windows\system32\wscntfy.exe c:\windows\eHome\ehmsas.exe c:\program files\AIM6\aolsoftware.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe . ************************************************************************** . Completion time: 2011-02-25 16:11:14 - machine was rebooted ComboFix-quarantined-files.txt 2011-02-25 22:10 ComboFix2.txt 2011-02-21 16:50 ComboFix3.txt 2011-02-21 02:50 ComboFix4.txt 2010-07-01 01:29 Pre-Run: 127,245,832,192 bytes free Post-Run: 127,369,060,352 bytes free - - End Of File - - 55E1D0F63A4B80FED0DD9D88293C9E94
  6. I tried changing the name but got an error message "Cannot rename nvrstrz.dll: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." I tried changing the attributes but I get "access is denied".
  7. I have submitted the file. I don't know if this is part of the issue we're working on but I was doing a Google search just now and there are some Google redirects happening on this machine. Just FYI. Thanks again for your help.
  8. Thanks again! ComboFix Log: ComboFix 11-02-20.03 - Compaq_Administrator 02/21/2011 10:44:13.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1400 [GMT -6:00] Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} file zipped: c:\windows\system32\nvrstrz.dll . ((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 ))))))))))))))))))))))))))))))) . 2011-02-13 23:30 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-02-13 23:30 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-02-13 23:30 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-02-13 23:30 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-02-13 23:30 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-02-13 23:30 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-02-13 23:30 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-02-13 23:29 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr 2011-02-13 23:29 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe 2011-02-13 23:29 . 2011-02-13 23:29 -------- d-----w- c:\program files\Alwil Software 2011-02-13 23:29 . 2011-02-13 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2011-02-13 18:48 . 2011-02-13 18:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-02-13 18:30 . 2011-02-13 18:30 59904 --sha-r- c:\windows\system32\nvrstrz.dll 2011-02-13 18:21 . 2011-02-13 18:21 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-02-11 06:01 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{50C4EBB6-D385-4429-933D-00718E4CF1C8}\mpengine.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-09 21:00 439296 ------w- c:\windows\system32\shimgvw.dll 2011-01-13 09:41 . 2007-08-20 02:29 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2011-01-07 14:09 . 2004-08-09 21:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2004-08-09 21:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2004-08-09 21:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-21 00:09 . 2010-06-20 21:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-21 00:08 . 2010-06-20 21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-20 22:15 . 2004-08-09 21:00 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15 . 2004-08-09 21:00 61952 ------w- c:\windows\system32\tdc.ocx 2010-12-20 22:15 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll 2010-12-20 17:26 . 2004-08-09 21:00 730112 ------w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30 . 2004-08-09 21:00 369664 ------w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2004-08-10 04:00 718336 ------w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll 2010-12-09 13:38 . 2006-11-06 09:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2006-11-06 09:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "nwiz"="nwiz.exe" [2006-01-24 1519616] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-4-26 27136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-4-26 36903] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/13/2011 5:30 PM 294608] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/13/2011 5:30 PM 17744] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?] S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] . Contents of the 'Scheduled Tasks' folder 2011-02-21 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] . . ------- Supplementary Scan ------- . uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\8n61yx1z.default\ FF - prefs.js: browser.search.selectedEngine - MyWebSearch FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLfox000&fl=0&ptb=_vFd3yNDoZAV3KOBzBiWag&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor= FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-21 10:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{399560AD-16A1-1C42-B8ABCDA82BB95BD1}\{612A140D-0F00-4178-3873E27B58551793}\{AE627BFA-B567-4F9A-57DD34442A0D5150}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFB1E792-937C-2E2C-B503416C70313BBE}\{BD69B123-9CB2-AD51-2CEEB02A3D233088}\{35363435-F6CB-3D47-CEABC35649A0E9E6}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . Completion time: 2011-02-21 10:50:03 ComboFix-quarantined-files.txt 2011-02-21 16:49 ComboFix2.txt 2011-02-21 02:50 ComboFix3.txt 2010-07-01 01:29 Pre-Run: 128,029,507,584 bytes free Post-Run: 128,007,593,984 bytes free - - End Of File - - 1B52C7FAE55DED5C2D197E4CA814D5EA
  9. Borislav, I apologize for the delay. My mother's computer wasn't the only one to get a virus. I had one that took me down for a few days. I ran combofix and the log is below: ComboFix 11-02-20.01 - Compaq_Administrator 02/20/2011 20:37:56.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1250 [GMT -6:00] Running from: c:\documents and settings\Compaq_Administrator\Desktop\Combo-Fix.exe AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\documents and settings\Compaq_Administrator\Local Settings\temp\IadHide5.dll c:\windows\system32\SET61D.tmp . ((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 ))))))))))))))))))))))))))))))) . 2011-02-13 23:30 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2011-02-13 23:30 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys 2011-02-13 23:30 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2011-02-13 23:30 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2011-02-13 23:30 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2011-02-13 23:30 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2011-02-13 23:30 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2011-02-13 23:29 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr 2011-02-13 23:29 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe 2011-02-13 23:29 . 2011-02-13 23:29 -------- d-----w- c:\program files\Alwil Software 2011-02-13 23:29 . 2011-02-13 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2011-02-13 18:48 . 2011-02-13 18:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-02-13 18:30 . 2011-02-13 18:30 59904 --sha-r- c:\windows\system32\nvrstrz.dll 2011-02-13 18:21 . 2011-02-13 18:21 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2011-02-11 06:01 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{50C4EBB6-D385-4429-933D-00718E4CF1C8}\mpengine.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:44 . 2004-08-09 21:00 439296 ------w- c:\windows\system32\shimgvw.dll 2011-01-13 09:41 . 2007-08-20 02:29 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll 2011-01-07 14:09 . 2004-08-09 21:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10 . 2004-08-09 21:00 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2004-08-09 21:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-21 00:09 . 2010-06-20 21:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-21 00:08 . 2010-06-20 21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-20 22:15 . 2004-08-09 21:00 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15 . 2004-08-09 21:00 61952 ------w- c:\windows\system32\tdc.ocx 2010-12-20 22:15 . 2004-08-09 21:00 81920 ------w- c:\windows\system32\ieencode.dll 2010-12-20 17:26 . 2004-08-09 21:00 730112 ------w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30 . 2004-08-09 21:00 369664 ------w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2004-08-10 04:00 718336 ------w- c:\windows\system32\ntdll.dll 2010-12-09 14:30 . 2004-08-09 21:00 33280 ------w- c:\windows\system32\csrsrv.dll 2010-12-09 13:38 . 2006-11-06 09:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07 . 2006-11-06 09:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968] "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-24 7311360] "nwiz"="nwiz.exe" [2006-01-24 1519616] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] c:\documents and settings\Default User\Start Menu\Programs\Startup\ Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-4-26 27136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-4-26 36903] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/13/2011 5:30 PM 294608] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/13/2011 5:30 PM 17744] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\RaInfo.sys --> c:\program files\LogMeIn\RaInfo.sys [?] S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592] . Contents of the 'Scheduled Tasks' folder 2011-02-20 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZLfox000&ptb=_vFd3yNDoZAV3KOBzBiWag uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\8n61yx1z.default\ FF - prefs.js: browser.search.selectedEngine - MyWebSearch FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLfox000&fl=0&ptb=_vFd3yNDoZAV3KOBzBiWag&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor= FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-20 20:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{399560AD-16A1-1C42-B8ABCDA82BB95BD1}\{612A140D-0F00-4178-3873E27B58551793}\{AE627BFA-B567-4F9A-57DD34442A0D5150}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AFB1E792-937C-2E2C-B503416C70313BBE}\{BD69B123-9CB2-AD51-2CEEB02A3D233088}\{35363435-F6CB-3D47-CEABC35649A0E9E6}*] "S6KI1YERXJTIP3T5RVDI41UR2G1"=hex:01,00,01,00,00,00,00,00,26,ff,b1,c2,08,0b,50, 9e,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(4060) c:\program files\Ipswitch\WS_FTP Home\wsftpsi.dll c:\program files\Ipswitch\WS_FTP Home\wsftpext.dll c:\program files\Ipswitch\WS_FTP Home\LIBEAY32.dll c:\program files\Ipswitch\WS_FTP Home\SSLEAY32.dll c:\program files\Ipswitch\WS_FTP Home\sslsvc.dll c:\program files\Ipswitch\WS_FTP Home\wsftplib.dll c:\program files\Ipswitch\WS_FTP Home\wshosts.dll c:\program files\Ipswitch\WS_FTP Home\Res0409.DLL c:\program files\Malwarebytes' Anti-Malware\mbamext.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\windows\RTHDCPL.EXE c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\windows\arservice.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\eHome\ehRecvr.exe c:\windows\eHome\ehSched.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\eHome\ehRec.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\nvsvc32.exe c:\windows\system32\HPZipm12.exe c:\windows\ehome\mcrdsvc.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\dllhost.exe c:\program files\AIM6\aolsoftware.exe c:\windows\eHome\ehmsas.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe . ************************************************************************** . Completion time: 2011-02-20 20:50:30 - machine was rebooted ComboFix-quarantined-files.txt 2011-02-21 02:50 ComboFix2.txt 2010-07-01 01:29 Pre-Run: 127,919,403,008 bytes free Post-Run: 128,051,908,608 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - CBE42E477495BE7EA249390E9480712B
  10. Oh don't worry about it. I'm thankful for your help!
  11. Ok, I've done it. I hope I did it correctly! Thanks, Borislav!
  12. I tried it in IE and had the same issue. Incidentally, I tested it out by uploading a file that wasn't greyed out and I received a report. It's just that nvrstrz.dll file.
  13. On the VirusTotal site. I tried uploading c:\windows\system32\nvrstrz.dll but the file icon is greyed out and nothing happens when I upload it to the site. I tried changing the actual file to unhidden but that option is greyed out as well. MBAM log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5769 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 2/15/2011 7:24:59 PM mbam-log-2011-02-15 (19-24-59).txt Scan type: Quick scan Objects scanned: 165287 Time elapsed: 6 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  14. Borislav, Thanks so much for your quick reply and your help. I had a little trouble with TDSSKiller but I think it was operator error. I ran it first but I couldn't get a report. When I rebooted it and clicked on "report" there was nothing. I ran the program again and was able to get a report but it had already detected and cured the rootkit that was found. Here are the logs: TDSSKiller log: 2011/02/14 18:43:37.0578 0880 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20 2011/02/14 18:43:37.0890 0880 ================================================================================ 2011/02/14 18:43:37.0921 0880 SystemInfo: 2011/02/14 18:43:37.0921 0880 2011/02/14 18:43:37.0921 0880 OS Version: 5.1.2600 ServicePack: 3.0 2011/02/14 18:43:37.0921 0880 Product type: Workstation 2011/02/14 18:43:37.0921 0880 ComputerName: PATSY 2011/02/14 18:43:37.0921 0880 UserName: Compaq_Administrator 2011/02/14 18:43:37.0921 0880 Windows directory: C:\WINDOWS 2011/02/14 18:43:37.0921 0880 System windows directory: C:\WINDOWS 2011/02/14 18:43:37.0921 0880 Processor architecture: Intel x86 2011/02/14 18:43:37.0921 0880 Number of processors: 1 2011/02/14 18:43:37.0921 0880 Page size: 0x1000 2011/02/14 18:43:37.0921 0880 Boot type: Normal boot 2011/02/14 18:43:37.0921 0880 ================================================================================ 2011/02/14 18:43:38.0453 0880 Initialize success 2011/02/14 18:43:52.0156 2056 ================================================================================ 2011/02/14 18:43:52.0156 2056 Scan started 2011/02/14 18:43:52.0156 2056 Mode: Manual; 2011/02/14 18:43:52.0156 2056 ================================================================================ 2011/02/14 18:43:54.0343 2056 Aavmker4 (479c9835b91147be1a92cb76fad9c6de) C:\WINDOWS\system32\drivers\Aavmker4.sys 2011/02/14 18:43:55.0468 2056 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/02/14 18:43:55.0921 2056 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2011/02/14 18:43:56.0484 2056 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/02/14 18:43:56.0859 2056 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2011/02/14 18:43:58.0468 2056 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 2011/02/14 18:43:59.0640 2056 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys 2011/02/14 18:44:00.0187 2056 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys 2011/02/14 18:44:00.0968 2056 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys 2011/02/14 18:44:01.0390 2056 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys 2011/02/14 18:44:01.0890 2056 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/02/14 18:44:02.0468 2056 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys 2011/02/14 18:44:04.0140 2056 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\WINDOWS\system32\drivers\aswFsBlk.sys 2011/02/14 18:44:04.0921 2056 aswMon2 (a1c52b822b7b8a5c2162d38f579f97b7) C:\WINDOWS\system32\drivers\aswMon2.sys 2011/02/14 18:44:05.0421 2056 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\WINDOWS\system32\drivers\aswRdr.sys 2011/02/14 18:44:06.0156 2056 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\WINDOWS\system32\drivers\aswSP.sys 2011/02/14 18:44:06.0812 2056 aswTdi (1408421505257846eb336feeef33352d) C:\WINDOWS\system32\drivers\aswTdi.sys 2011/02/14 18:44:07.0375 2056 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/02/14 18:44:07.0687 2056 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/02/14 18:44:08.0734 2056 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/02/14 18:44:09.0078 2056 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/02/14 18:44:09.0500 2056 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys 2011/02/14 18:44:09.0671 2056 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/02/14 18:44:10.0093 2056 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/02/14 18:44:10.0468 2056 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/02/14 18:44:10.0921 2056 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/02/14 18:44:11.0187 2056 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/02/14 18:44:13.0343 2056 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/02/14 18:44:14.0296 2056 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/02/14 18:44:15.0015 2056 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/02/14 18:44:15.0265 2056 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/02/14 18:44:15.0921 2056 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/02/14 18:44:16.0328 2056 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/02/14 18:44:16.0468 2056 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/02/14 18:44:17.0203 2056 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2011/02/14 18:44:17.0406 2056 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/02/14 18:44:17.0640 2056 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/02/14 18:44:17.0875 2056 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/02/14 18:44:18.0125 2056 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/02/14 18:44:18.0562 2056 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/02/14 18:44:18.0734 2056 ftsata2 (22399d3ce5840c6082844679cca5d2fc) C:\WINDOWS\system32\DRIVERS\ftsata2.sys 2011/02/14 18:44:19.0218 2056 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2011/02/14 18:44:19.0375 2056 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/02/14 18:44:19.0843 2056 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/02/14 18:44:20.0125 2056 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/02/14 18:44:20.0515 2056 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2011/02/14 18:44:21.0046 2056 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2011/02/14 18:44:21.0328 2056 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2011/02/14 18:44:21.0593 2056 HSXHWBS2 (1f5c64b0c6b2e2f48735a77ae714ccb8) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys 2011/02/14 18:44:22.0281 2056 HSX_DP (a7f8c9228898a1e871d2ae7082f50ac3) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys 2011/02/14 18:44:22.0640 2056 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/02/14 18:44:23.0500 2056 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/02/14 18:44:23.0937 2056 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys 2011/02/14 18:44:24.0734 2056 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/02/14 18:44:26.0421 2056 IntcAzAudAddService (64be56b8858ca0153c725c720ffd194f) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/02/14 18:44:26.0859 2056 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/02/14 18:44:27.0109 2056 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/02/14 18:44:27.0578 2056 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/02/14 18:44:27.0921 2056 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/02/14 18:44:28.0281 2056 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/02/14 18:44:28.0640 2056 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/02/14 18:44:29.0140 2056 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/02/14 18:44:29.0453 2056 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/02/14 18:44:29.0781 2056 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/02/14 18:44:30.0109 2056 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/02/14 18:44:30.0453 2056 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 2011/02/14 18:44:30.0828 2056 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/02/14 18:44:31.0453 2056 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/02/14 18:44:32.0484 2056 LMImirr (725d65bf81191264210f75a921527aeb) C:\WINDOWS\system32\DRIVERS\LMImirr.sys 2011/02/14 18:44:32.0921 2056 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2011/02/14 18:44:33.0234 2056 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 2011/02/14 18:44:33.0484 2056 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/02/14 18:44:33.0781 2056 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/02/14 18:44:34.0250 2056 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/02/14 18:44:34.0546 2056 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/02/14 18:44:34.0937 2056 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/02/14 18:44:35.0265 2056 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/02/14 18:44:35.0781 2056 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/02/14 18:44:36.0500 2056 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/02/14 18:44:36.0906 2056 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/02/14 18:44:37.0453 2056 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/02/14 18:44:37.0750 2056 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/02/14 18:44:38.0078 2056 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/02/14 18:44:38.0656 2056 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/02/14 18:44:39.0031 2056 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/02/14 18:44:39.0625 2056 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/02/14 18:44:39.0859 2056 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/02/14 18:44:40.0343 2056 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/02/14 18:44:40.0796 2056 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/02/14 18:44:41.0125 2056 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/02/14 18:44:41.0656 2056 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/02/14 18:44:42.0015 2056 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/02/14 18:44:42.0375 2056 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/02/14 18:44:43.0046 2056 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/02/14 18:44:43.0671 2056 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/02/14 18:44:44.0625 2056 nv (ce58f42b11be20a47c3d8d2f38da254e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2011/02/14 18:44:45.0984 2056 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys 2011/02/14 18:44:46.0656 2056 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys 2011/02/14 18:44:47.0031 2056 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/02/14 18:44:47.0250 2056 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/02/14 18:44:47.0718 2056 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/02/14 18:44:48.0109 2056 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/02/14 18:44:48.0296 2056 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/02/14 18:44:48.0687 2056 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/02/14 18:44:49.0265 2056 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/02/14 18:44:50.0125 2056 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/02/14 18:44:50.0890 2056 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2011/02/14 18:44:55.0140 2056 Point32 (5c71f7cdd1b4ba5f00b87ca05e414aea) C:\WINDOWS\system32\DRIVERS\point32.sys 2011/02/14 18:44:55.0734 2056 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/02/14 18:44:55.0984 2056 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2011/02/14 18:44:56.0500 2056 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/02/14 18:44:56.0718 2056 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/02/14 18:44:57.0234 2056 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/02/14 18:44:58.0812 2056 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/02/14 18:44:59.0203 2056 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/02/14 18:44:59.0703 2056 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/02/14 18:45:00.0093 2056 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/02/14 18:45:00.0593 2056 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/02/14 18:45:00.0890 2056 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/02/14 18:45:01.0453 2056 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/02/14 18:45:01.0890 2056 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/02/14 18:45:02.0109 2056 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/02/14 18:45:02.0343 2056 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2011/02/14 18:45:02.0531 2056 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/02/14 18:45:02.0937 2056 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys 2011/02/14 18:45:03.0250 2056 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/02/14 18:45:04.0046 2056 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/02/14 18:45:04.0468 2056 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/02/14 18:45:05.0156 2056 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/02/14 18:45:05.0890 2056 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/02/14 18:45:06.0531 2056 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/02/14 18:45:07.0921 2056 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/02/14 18:45:08.0390 2056 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/02/14 18:45:08.0625 2056 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/02/14 18:45:08.0953 2056 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/02/14 18:45:09.0234 2056 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/02/14 18:45:09.0640 2056 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/02/14 18:45:09.0906 2056 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/02/14 18:45:10.0171 2056 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys 2011/02/14 18:45:10.0359 2056 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/02/14 18:45:10.0468 2056 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/02/14 18:45:10.0687 2056 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/02/14 18:45:10.0750 2056 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2011/02/14 18:45:10.0875 2056 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/02/14 18:45:10.0921 2056 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/02/14 18:45:11.0000 2056 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/02/14 18:45:11.0218 2056 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/02/14 18:45:11.0359 2056 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/02/14 18:45:11.0468 2056 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/02/14 18:45:11.0703 2056 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/02/14 18:45:11.0843 2056 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/02/14 18:45:12.0187 2056 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/02/14 18:45:12.0359 2056 winachsx (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys 2011/02/14 18:45:12.0578 2056 ================================================================================ 2011/02/14 18:45:12.0578 2056 Scan finished 2011/02/14 18:45:12.0578 2056 ================================================================================ DDS: DDS (Ver_10-12-12.02) - NTFSx86 Run by Compaq_Administrator at 18:53:30.96 on Mon 02/14/2011 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1353 [GMT -6:00] AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *Disabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Compaq_Administrator\Desktop\dds(3).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZLfox000&ptb=_vFd3yNDoZAV3KOBzBiWag uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe" mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://mikealantrujillo.spaces.live.com//PhotoUpload/MsnPUpld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\8n61yx1z.default\ FF - prefs.js: browser.search.selectedEngine - MyWebSearch FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLfox000&fl=0&ptb=_vFd3yNDoZAV3KOBzBiWag&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor= FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\8n61yx1z.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07010901.dll FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension ============= SERVICES / DRIVERS =============== R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-13 294608] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-13 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-13 40384] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\rainfo.sys --> c:\program files\logmein\RaInfo.sys [?] S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] =============== Created Last 30 ================ 2011-02-13 23:29:52 38848 ----a-w- c:\windows\avastSS.scr 2011-02-13 23:29:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software 2011-02-13 18:30:51 59904 --sha-r- c:\windows\system32\nvrstrz.dll 2011-02-11 06:01:05 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{50c4ebb6-d385-4429-933d-00718e4cf1c8}\mpengine.dll 2011-01-21 14:44:37 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll ==================== Find3M ==================== 2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15:52 61952 ------w- c:\windows\system32\tdc.ocx 2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll 2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ------w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ------w- c:\windows\system32\csrsrv.dll 2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-11-18 18:12:44 81920 ------w- c:\windows\system32\isign32.dll ============= FINISH: 18:54:35.06 ===============
  15. Hi there, I'm working on my mother's computer. My brother in law added some extra RAM and cleaned up her computer a few months ago and I noticed that he didn't reinstall any virus protection. So, she's been using her computer without protection for quite some time. Today she started having some stubborn popups in both IE and Firefox. I tried to install Avast Anti-virus but it won't connect to their server for updated definition files. I ran MBAM and it found about 20 items but even after removing the items, the popups and redirects are still happening. Thanks in advance for your help! Necessary logs are listed below: MBAM Log: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5754 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 2/13/2011 12:59:19 PM mbam-log-2011-02-13 (12-59-19).txt Scan type: Quick scan Objects scanned: 165289 Time elapsed: 7 minute(s), 10 second(s) Memory Processes Infected: 4 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 14 Memory Processes Infected: c:\WINDOWS\Temp\Nxe.exe (Trojan.Agent) -> 532 -> Unloaded process successfully. c:\WINDOWS\Temp\Nxc.exe (Trojan.Agent) -> 1680 -> Unloaded process successfully. c:\WINDOWS\Temp\qnmaqnuoq\xrcltsysika.exe (Trojan.Downloader) -> 2224 -> Unloaded process successfully. c:\WINDOWS\Temp\Nxd.exe (Trojan.Agent) -> 2900 -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruetitvy (Trojan.Downloader) -> Value: ruetitvy -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU (Trojan.Agent) -> Value: CE8SIIFGSU -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\Temp\Nxe.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\Nxc.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\qnmaqnuoq\xrcltsysika.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\Nxd.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\documents and settings\compaq_administrator\Desktop\myfuncards(2).exe (PUP.FunWebProducts) -> Quarantined and deleted successfully. c:\documents and settings\compaq_administrator\Desktop\myfuncards(3).exe (PUP.FunWebProducts) -> Quarantined and deleted successfully. c:\documents and settings\compaq_administrator\Desktop\myfuncards.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\0.9125847752696233.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\30.609373482215965.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\9.086644916712985e8.exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\SN45NAT5\so[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully. c:\WINDOWS\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully. DDS: DDS (Ver_10-12-12.02) - NTFSx86 Run by Compaq_Administrator at 17:42:33.18 on Sun 02/13/2011 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1278 [GMT -6:00] AV: avast! Antivirus *Disabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: Norton Internet Worm Protection *Disabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\Program Files\Alwil Software\Avast5\AvastUI.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\Compaq_Administrator\Desktop\Defogger(2).exe C:\Documents and Settings\Compaq_Administrator\Desktop\dds(2).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZLfox000&ptb=_vFd3yNDoZAV3KOBzBiWag uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe" mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000 IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://mikealantrujillo.spaces.live.com//PhotoUpload/MsnPUpld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\8n61yx1z.default\ FF - prefs.js: browser.search.selectedEngine - MyWebSearch FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLfox000&fl=0&ptb=_vFd3yNDoZAV3KOBzBiWag&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor= FF - plugin: c:\documents and settings\compaq_administrator\application data\mozilla\firefox\profiles\8n61yx1z.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07010901.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension ============= SERVICES / DRIVERS =============== R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-13 294608] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-13 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-13 40384] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\rainfo.sys --> c:\program files\logmein\RaInfo.sys [?] S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] =============== Created Last 30 ================ 2011-02-13 23:29:52 38848 ----a-w- c:\windows\avastSS.scr 2011-02-13 23:29:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software 2011-02-13 18:30:51 59904 --sha-r- c:\windows\system32\nvrstrz.dll 2011-02-11 06:01:05 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{50c4ebb6-d385-4429-933d-00718e4cf1c8}\mpengine.dll 2011-01-21 14:44:37 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll ==================== Find3M ==================== 2011-01-21 14:44:37 439296 ------w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 22:15:52 667136 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 22:15:52 61952 ------w- c:\windows\system32\tdc.ocx 2010-12-20 22:15:51 81920 ------w- c:\windows\system32\ieencode.dll 2010-12-20 17:26:00 730112 ------w- c:\windows\system32\lsasrv.dll 2010-12-20 15:30:29 369664 ------w- c:\windows\system32\html.iec 2010-12-09 15:15:09 718336 ------w- c:\windows\system32\ntdll.dll 2010-12-09 14:30:22 33280 ------w- c:\windows\system32\csrsrv.dll 2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-11-18 18:12:44 81920 ------w- c:\windows\system32\isign32.dll =================== ROOTKIT ==================== Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: Maxtor_6L200M0 rev.BACE1G10 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-5 device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A6D05DC]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a6d67b8]; MOV EAX, [0x8a6d6834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A74DAB8] 3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000006a[0x8A75AF18] 5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A74FD98] \Driver\atapi[0x8A6DFB60] -> IRP_MJ_CREATE -> 0x8A6D05DC kernel: MBR read successfully _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; } detected disk devices: \Device\Ide\IdeDeviceP2T0L0-5 -> \??\IDE#DiskMaxtor_6L200M0__________________________BACE1G10#344c4d3259534743202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8A6D0422 user & kernel MBR OK Warning: possible TDL3 rootkit infection ! ============= FINISH: 17:43:40.14 =============== Attach.zip ark.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.