EDFL

XP SP3 NETBOOK PUM.Hijack.StartMenu

14 posts in this topic

Ran Malwarebytes yesterday in safe mode on my netbook - found and removed PUM.Hijack.StartMenu. Ran again in safe mode this morning with same result. Thanks in advance for your advice.

Ed

dds.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Edward at 10:48:26 on 2012-07-06

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.598 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\wdm\STacSV.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\HP\HPBTWD.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\syncables\syncables desktop\Syncables.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe

C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\syncables\syncables desktop\MigoMapi.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/intl/en

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [cdloader] "c:\documents and settings\edward\application data\mjusbsp\cdloader2.exe" MAGICJACK

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode

mRun: [syncables] c:\program files\syncables\syncables desktop\Syncables.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

StartupFolder: c:\docume~1\edward\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE

StartupFolder: c:\docume~1\edward\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264184234343

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

TCP: DhcpNameServer = 192.168.10.1

TCP: Interfaces\{7A4E10C4-B481-4152-AFB4-4DC65DD78684} : DhcpNameServer = 192.168.10.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2011-5-31 81920]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-14 113664]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-6-14 160256]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

.

=============== Created Last 30 ================

.

2012-07-05 22:00:43 -------- d-----w- c:\documents and settings\edward\application data\Malwarebytes

2012-07-05 22:00:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-07-05 22:00:11 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-05 22:00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-19 16:40:11 -------- d-----w- c:\documents and settings\edward\local settings\application data\Deployment

2012-06-15 06:30:17 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-06-15 06:30:17 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2012-06-08 02:52:56 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-08 02:52:56 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

==================== Find3M ====================

.

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

============= FINISH: 10:49:14.81 ===============

attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 9/21/2009 7:36:40 AM

System Uptime: 7/6/2012 10:11:02 AM (0 hours ago)

.

Motherboard: Hewlett-Packard | | 308F

Processor: Intel® Atom CPU N270 @ 1.60GHz | CPU 1 | 1596/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 138.365 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Atheros AR8132 PCI-E Fast Ethernet Controller

Device ID: PCI\VEN_1969&DEV_1062&SUBSYS_308F103C&REV_C0\4&23C6FC68&0&00E1

Manufacturer: Atheros

Name: Atheros AR8132 PCI-E Fast Ethernet Controller

PNP Device ID: PCI\VEN_1969&DEV_1062&SUBSYS_308F103C&REV_C0\4&23C6FC68&0&00E1

Service: L1c

.

==== System Restore Points ===================

.

RP124: 4/16/2012 6:33:55 PM - System Checkpoint

RP125: 4/17/2012 7:29:38 PM - System Checkpoint

RP126: 4/18/2012 8:25:17 PM - System Checkpoint

RP127: 4/21/2012 12:32:35 PM - Software Distribution Service 3.0

RP128: 6/6/2012 2:54:30 AM - Software Distribution Service 3.0

RP129: 6/8/2012 1:19:12 AM - Software Distribution Service 3.0

RP130: 6/10/2012 1:24:11 AM - System Checkpoint

RP131: 6/15/2012 12:52:16 AM - System Checkpoint

RP132: 6/18/2012 11:49:32 AM - System Checkpoint

RP133: 6/19/2012 8:11:08 PM - System Checkpoint

RP134: 6/22/2012 10:58:56 AM - System Checkpoint

RP135: 6/24/2012 7:56:38 PM - System Checkpoint

RP136: 7/4/2012 9:39:35 PM - System Checkpoint

.

==== Installed Programs ======================

.

3ivx MPEG-4 5.0.3 (remove only)

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 9.0.1

Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver

Broadcom 802.11 Wireless LAN Adapter

Default Manager

FlipShare

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB949764)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP BatteryCheck 2.10 A2

HP Doc Viewer

HP Help and Support

HP Mobile Broadband Setup Utility

HP User Guides 0139

HP Wireless Assistant

HpSdpAppCoreApp

IDT Audio

Intel® Graphics Media Accelerator Driver

Java 6 Update 11

magicJack

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB2656370)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Live Search Toolbar

Microsoft National Language Support Downlevel APIs

Microsoft Office 97, Professional Edition

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

MSXML 6.0 Parser

Picasa 3

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2619339)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2621440)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2641653)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB2647518)

Security Update for Windows XP (KB2653956)

Security Update for Windows XP (KB2659262)

Security Update for Windows XP (KB2661637)

Security Update for Windows XP (KB2676562)

Security Update for Windows XP (KB2686509)

Security Update for Windows XP (KB2695962)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Skype Toolbars

Skype™ 5.3

SMART BRO

Spybot - Search & Destroy

SUPERAntiSpyware

Synaptics Pointing Device Driver

syncables desktop

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB978506)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2641690)

Update for Windows XP (KB2718704)

Update for Windows XP (KB898461)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

USB2.0 Card Reader Software

Viewpoint Media Player

WebFldrs XP

Windows Backup Utility

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Yahoo! Messenger

.

==== Event Viewer Messages From Past Week ========

.

7/5/2012 6:11:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

7/5/2012 6:06:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL

7/5/2012 6:05:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

.

==== End Of File ===========================

Share this post


Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Share this post


Link to post
Share on other sites

Thank you. MBAM Quick Scan log folllows. Will do ComboFix and DDS log next.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.05.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Edward :: EDHPMINI [administrator]

7/6/2012 1:55:55 PM

mbam-log-2012-07-06 (13-55-55).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 212365

Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites

Not yet. I've been working on my desktop problems (another post topic) and using the netbook for research. Since my original post, I have restarted XP many times in safe mode and scanned with MBAM, MSE, SuperAntispyware and Spybot - always clean. I installed Comodo firewall, also. I'm a little hesitant to running ComboFix for fear of having 2 machines down - at least not until I have my desktop clean. What do you think?

Ed

Share this post


Link to post
Share on other sites

Feel free to wait. Send me an update here when you're ready.

Share this post


Link to post
Share on other sites

Chris,

MBAM full scan log (safe mode) folllows. Then ran ComboFix (Windows XP Recovery Console could not be installed and run when prompted) and log follows. Note that when I opened IE after that, default browser had changed. Ran DDS log next which follows.

Ed

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.07.10.09

Windows XP Service Pack 3 x86 NTFS (Safe Mode)

Internet Explorer 8.0.6001.18702

Edward :: EDHPMINI [administrator]

7/10/2012 11:52:51 AM

mbam-log-2012-07-10 (11-52-51).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 255794

Time elapsed: 1 hour(s), 5 minute(s), 12 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ComboFix 12-07-10.01 - Edward 07/10/2012 13:40:55.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.609 [GMT -4:00]

Running from: c:\documents and settings\Edward\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\HP\HPBTWD.exe

c:\windows\offitems.log

.

.

((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))

.

.

2012-07-10 00:39 . 2012-05-31 00:41 6762896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07A4CB85-D57C-44E8-9CAE-2AAADDC4008E}\mpengine.dll

2012-07-09 15:46 . 2012-07-09 15:46 -------- d-----w- c:\program files\CCleaner

2012-07-09 15:06 . 2012-05-31 00:41 6762896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-08 18:10 . 2012-07-08 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2012-07-08 18:10 . 2012-07-08 18:10 -------- d-----w- c:\documents and settings\Edward\Application Data\Canneverbe Limited

2012-07-08 18:09 . 2012-07-08 18:09 -------- d-----w- c:\program files\CDBurnerXP

2012-07-08 15:21 . 2012-07-08 17:25 -------- d-----w- c:\program files\nLite

2012-07-07 20:27 . 2012-07-07 20:30 -------- d-----w- c:\windows\SxsCaPendDel

2012-07-07 19:22 . 2012-07-07 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2012-07-07 19:22 . 2012-07-07 19:22 -------- d-----w- c:\program files\COMODO

2012-07-07 16:13 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-07-07 16:10 . 2012-06-04 21:35 222448 ----a-w- c:\windows\system32\muweb.dll

2012-07-07 16:10 . 2012-06-02 19:18 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-07-07 16:09 . 2012-07-07 16:10 -------- d-----w- c:\program files\Microsoft Security Client

2012-07-07 15:04 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll

2012-07-07 15:01 . 2012-06-02 19:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-07-06 13:56 . 2012-07-06 13:57 -------- d-----w- c:\documents and settings\Administrator

2012-07-05 22:00 . 2012-07-05 22:00 -------- d-----w- c:\documents and settings\Edward\Application Data\Malwarebytes

2012-07-05 22:00 . 2012-07-05 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-07-05 22:00 . 2012-07-05 22:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-05 22:00 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-19 16:40 . 2012-07-09 23:05 -------- d-----w- c:\documents and settings\Edward\Local Settings\Application Data\Deployment

2012-06-15 06:30 . 2012-07-09 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-06-15 06:30 . 2012-06-15 06:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-08 03:14 . 2012-06-08 02:52 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-08 03:14 . 2012-06-08 02:52 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-04 21:35 . 2009-08-07 00:23 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 19:19 . 2007-07-31 18:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 19:19 . 2010-01-22 18:18 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 19:19 . 2010-01-22 18:18 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 19:19 . 2007-07-31 18:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 19:19 . 2010-01-22 18:18 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 19:19 . 2010-01-22 18:18 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 19:19 . 2008-04-15 12:00 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 19:19 . 2007-07-31 18:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 19:19 . 2007-07-31 18:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 19:19 . 2007-07-31 18:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 19:19 . 2010-01-22 18:18 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-05-31 13:22 . 2008-04-15 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08 . 2010-03-16 01:07 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20 . 2009-08-14 13:21 1863168 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 14:42 . 2010-03-16 01:07 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 14:42 . 2009-03-08 08:34 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 11:38 . 2009-03-08 08:35 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16 . 2010-02-11 19:12 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32 . 2010-02-11 19:12 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46 . 2008-04-15 12:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Edward\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]

"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 173360]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]

.

c:\documents and settings\Edward\Start Menu\Programs\Startup\

Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^Edward^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\Edward\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-12-03 09:34 35184 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-02-15 21:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-02-17 06:30 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-02-15 21:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-06-15 00:58 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]

2009-03-30 20:47 483428 ----a-w- c:\program files\IDT\WDM\sttray.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Edward\\Application Data\\mjusbsp\\magicJack.exe"=

.

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 6:59 PM 494816]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 6:59 PM 31704]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/14/2009 8:47 PM 113664]

S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [5/31/2011 10:35 AM 81920]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 5:03 PM 38912]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [6/14/2009 8:48 PM 160256]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.10.1

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-HP BTW Detect Program - c:\program files\HP\HPBTWD.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-10 13:47

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(488)

c:\windows\system32\guard32.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'lsass.exe'(544)

c:\windows\system32\guard32.dll

.

Completion time: 2012-07-10 13:50:06

ComboFix-quarantined-files.txt 2012-07-10 17:50

.

Pre-Run: 146,951,643,136 bytes free

Post-Run: 146,939,707,392 bytes free

.

- - End Of File - - 90EF68717F0629F2D4E544E8A680749B

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Edward at 14:11:13 on 2012-07-10

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.515 [GMT -4:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: COMODO Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

c:\Program Files\Microsoft Security Client\MsMpEng.exe

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

c:\program files\idt\wdm\STacSV.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\syncables\syncables desktop\Syncables.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\syncables\syncables desktop\MigoMapi.exe

svchost.exe

C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll

uRun: [cdloader] "c:\documents and settings\edward\application data\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [syncables] c:\program files\syncables\syncables desktop\Syncables.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h

StartupFolder: c:\docume~1\edward\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341673129609

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341692565031

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

TCP: DhcpNameServer = 192.168.10.1

TCP: Interfaces\{7A4E10C4-B481-4152-AFB4-4DC65DD78684} : DhcpNameServer = 192.168.10.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-12-19 494816]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 31704]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2011-5-31 81920]

R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-12-19 1960584]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-14 113664]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-6-14 160256]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

.

=============== Created Last 30 ================

.

2012-07-10 17:51:25 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{537ee861-3ea6-443e-8814-f8be0fd4f3de}\mpengine.dll

2012-07-10 17:35:56 98816 ----a-w- c:\windows\sed.exe

2012-07-10 17:35:56 518144 ----a-w- c:\windows\SWREG.exe

2012-07-10 17:35:56 256000 ----a-w- c:\windows\PEV.exe

2012-07-10 17:35:56 208896 ----a-w- c:\windows\MBR.exe

2012-07-09 15:46:27 -------- d-----w- c:\program files\CCleaner

2012-07-09 15:06:07 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-07-08 18:10:06 -------- d-----w- c:\documents and settings\all users\application data\Canneverbe Limited

2012-07-08 18:10:05 -------- d-----w- c:\documents and settings\edward\application data\Canneverbe Limited

2012-07-08 15:21:47 -------- d-----w- c:\program files\nLite

2012-07-07 20:27:45 -------- d-----w- c:\windows\SxsCaPendDel

2012-07-07 19:22:39 -------- d-----w- c:\documents and settings\all users\application data\Comodo

2012-07-07 19:22:31 -------- d-----w- c:\program files\COMODO

2012-07-07 16:13:58 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-07-07 16:10:39 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-07-07 16:10:39 222448 ----a-w- c:\windows\system32\muweb.dll

2012-07-07 16:10:39 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2012-07-07 16:09:56 -------- d-----w- c:\program files\Microsoft Security Client

2012-07-07 15:04:11 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll

2012-07-07 15:01:09 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-07-05 22:00:43 -------- d-----w- c:\documents and settings\edward\application data\Malwarebytes

2012-07-05 22:00:12 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-07-05 22:00:11 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-05 22:00:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-19 16:40:11 -------- d-----w- c:\documents and settings\edward\local settings\application data\Deployment

2012-06-15 06:30:17 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-06-15 06:30:17 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

.

==================== Find3M ====================

.

2012-06-08 03:14:46 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-08 03:14:46 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 14:12:30.92 ===============

Share this post


Link to post
Share on other sites

Hi,

Please download this file and save it as it's originally named, next to ComboFix.exe.

RC1-4.gif

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.

-screen317

Share this post


Link to post
Share on other sites

ComboFix 12-07-10.01 - Edward 07/10/2012 15:33:28.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.600 [GMT -4:00]

Running from: c:\documents and settings\Edward\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Edward\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

.

((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))

.

.

2012-07-10 19:29 . 2012-07-10 19:29 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{537EE861-3EA6-443E-8814-F8BE0FD4F3DE}\MpKslbc638402.sys

2012-07-10 19:28 . 2012-07-10 19:28 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{537EE861-3EA6-443E-8814-F8BE0FD4F3DE}\offreg.dll

2012-07-10 17:51 . 2012-05-31 00:41 6762896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{537EE861-3EA6-443E-8814-F8BE0FD4F3DE}\mpengine.dll

2012-07-09 15:46 . 2012-07-09 15:46 -------- d-----w- c:\program files\CCleaner

2012-07-09 15:06 . 2012-05-31 00:41 6762896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-07-08 18:10 . 2012-07-08 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited

2012-07-08 18:10 . 2012-07-08 18:10 -------- d-----w- c:\documents and settings\Edward\Application Data\Canneverbe Limited

2012-07-08 18:09 . 2012-07-08 18:09 -------- d-----w- c:\program files\CDBurnerXP

2012-07-08 15:21 . 2012-07-08 17:25 -------- d-----w- c:\program files\nLite

2012-07-07 20:27 . 2012-07-07 20:30 -------- d-----w- c:\windows\SxsCaPendDel

2012-07-07 19:22 . 2012-07-07 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2012-07-07 19:22 . 2012-07-07 19:22 -------- d-----w- c:\program files\COMODO

2012-07-07 16:13 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-07-07 16:10 . 2012-06-04 21:35 222448 ----a-w- c:\windows\system32\muweb.dll

2012-07-07 16:10 . 2012-06-02 19:18 275696 ----a-w- c:\windows\system32\mucltui.dll

2012-07-07 16:09 . 2012-07-07 16:10 -------- d-----w- c:\program files\Microsoft Security Client

2012-07-07 15:04 . 2012-05-11 14:42 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll

2012-07-07 15:01 . 2012-06-02 19:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-07-06 13:56 . 2012-07-06 13:57 -------- d-----w- c:\documents and settings\Administrator

2012-07-05 22:00 . 2012-07-05 22:00 -------- d-----w- c:\documents and settings\Edward\Application Data\Malwarebytes

2012-07-05 22:00 . 2012-07-05 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-07-05 22:00 . 2012-07-05 22:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-05 22:00 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-19 16:40 . 2012-07-09 23:05 -------- d-----w- c:\documents and settings\Edward\Local Settings\Application Data\Deployment

2012-06-15 06:30 . 2012-07-09 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2012-06-15 06:30 . 2012-06-15 06:30 -------- d-----w- c:\program files\Spybot - Search & Destroy

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-08 03:14 . 2012-06-08 02:52 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-08 03:14 . 2012-06-08 02:52 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-04 21:35 . 2009-08-07 00:23 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 19:19 . 2007-07-31 18:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 19:19 . 2010-01-22 18:18 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 19:19 . 2010-01-22 18:18 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 19:19 . 2007-07-31 18:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 19:19 . 2010-01-22 18:18 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 19:19 . 2010-01-22 18:18 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 19:19 . 2008-04-15 12:00 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 19:19 . 2007-07-31 18:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 19:19 . 2007-07-31 18:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 19:19 . 2007-07-31 18:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 19:19 . 2010-01-22 18:18 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-05-31 13:22 . 2008-04-15 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-16 15:08 . 2010-03-16 01:07 916992 ----a-w- c:\windows\system32\wininet.dll

2012-05-15 13:20 . 2009-08-14 13:21 1863168 ----a-w- c:\windows\system32\win32k.sys

2012-05-11 14:42 . 2010-03-16 01:07 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-05-11 14:42 . 2009-03-08 08:34 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-05-11 11:38 . 2009-03-08 08:35 385024 ----a-w- c:\windows\system32\html.iec

2012-05-04 13:16 . 2010-02-11 19:12 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-04 12:32 . 2010-02-11 19:12 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-02 13:46 . 2008-04-15 12:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-07-10_17.47.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-07-10 19:18 . 2012-07-10 19:18 16384 c:\windows\temp\Perflib_Perfdata_7c8.dat

+ 2008-06-25 01:26 . 2012-07-10 19:23 72582 c:\windows\system32\perfc009.dat

- 2008-06-25 01:26 . 2012-07-10 17:07 72582 c:\windows\system32\perfc009.dat

+ 2008-06-25 01:26 . 2012-07-10 19:23 443482 c:\windows\system32\perfh009.dat

- 2008-06-25 01:26 . 2012-07-10 17:07 443482 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"cdloader"="c:\documents and settings\Edward\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]

"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 173360]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-12-21 6676808]

.

c:\documents and settings\Edward\Start Menu\Programs\Startup\

Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^Documents and Settings^Edward^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\Edward\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-12-03 09:34 35184 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2008-02-15 21:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-02-17 06:30 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-02-15 21:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-06-15 00:58 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]

2009-03-30 20:47 483428 ----a-w- c:\program files\IDT\WDM\sttray.exe

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Edward\\Application Data\\mjusbsp\\magicJack.exe"=

.

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [12/19/2011 6:59 PM 494816]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 6:59 PM 31704]

R1 MpKslbc638402;MpKslbc638402;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{537EE861-3EA6-443E-8814-F8BE0FD4F3DE}\MpKslbc638402.sys [7/10/2012 3:29 PM 29904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/14/2009 8:47 PM 113664]

S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [5/31/2011 10:35 AM 81920]

S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 5:03 PM 38912]

S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [6/14/2009 8:48 PM 160256]

S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MPKSLBC638402

.

Contents of the 'Scheduled Tasks' folder

.

2012-07-10 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job

- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-07-10 15:40

Windows 5.1.2600 Service Pack 3 NTFS

.

detected NTDLL code modification:

ZwClose

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(488)

c:\windows\system32\guard32.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

- - - - - - - > 'lsass.exe'(544)

c:\windows\system32\guard32.dll

.

- - - - - - - > 'explorer.exe'(1280)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2012-07-10 15:42:30

ComboFix-quarantined-files.txt 2012-07-10 19:42

ComboFix2.txt 2012-07-10 17:50

.

Pre-Run: 146,923,122,688 bytes free

Post-Run: 146,908,569,600 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 74E87C8C7AC80BAB7CB727BEBE4C529B

Share this post


Link to post
Share on other sites

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

Share this post


Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=756bc664e41d244e8357559b39e44110

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2012-07-10 10:24:54

# local_time=2012-07-10 06:24:54 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=3073 16777213 80 71 0 19358704 0 0

# compatibility_mode=5891 16776533 42 92 0 9070024 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=50871

# found=0

# cleaned=0

# scan_time=7007

Results of screen317's Security Check version 0.99.42

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Disabled!

ESET Online Scanner v3

COMODO Internet Security

Microsoft Security Essentials

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

SUPERAntiSpyware

Malwarebytes Anti-Malware version 1.61.0.1400

CCleaner

Java 6 Update 11

Java version out of Date!

Adobe Reader 9 Adobe Reader out of Date!

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Comodo Firewall cmdagent.exe

Comodo Firewall cfp.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 2%

````````````````````End of Log``````````````````````

Share this post


Link to post
Share on other sites

Hi,

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Spybot - Search & Destroy

Java™ 6 Update 11

Adobe Reader 9

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

Let me know what issues remain.

Share this post


Link to post
Share on other sites

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.