View Full Version : SpyBot, etc won't run, Google redirect with IE
BobbaLouie
2009-10-08, 02:10
Hello,
I'm having a problem with WinXp SP3 that seems similar to Ginge09 in this thread: http://forums.spybot.info/showthread.php?t=52292. SpyBot won't run, or rather, it starts, but then is intercepted and made inoperative. Renaming the exe or trying to run the scr file ends up the same way. The same thing happens with Malwarebyte's anti malware: As soon as I try to launch a scan the window disappears and the program is made inoperative. I have tried renaming the exe and they are treated in the same fashion and become inoperative.
HijackThis does the same thing. I attempt to run it and it is killed immediately, and subsequent attempts to run it give access denied.
Following some instructions from the other thread, DDS did not run--it also dies after a couple seconds and creates no log. I was able to run exeHelper however, and it gives this:
exeHelper by Raktor - 09
Build 20090925
Run at 17:15:25 on 10/07/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
exefile="%1" %*
.exe=exefile
Resetting filetype association for .com
comfile="%1" %*
.com=comfile
Resetting userinit and shell values...
Resetting policies...
--Finished--
I'm hoping someone can help me.
Thanks
BobbaLouie
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Please do not run any scans or programs unless directed to or your just going to complicate the cleanup .
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
BobbaLouie
2009-10-09, 17:37
Thank you so much for the reply. This infected machine is really starting to get to me.
Here are the results of running RootRepeal:
Upon startup, I get a "RootRepeal Error" dialog, stating "Error - invalid PE image found!"
Here is the log:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/09 09:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA4483000 Size: 49152 File Visible: No Signed: -
Status: -
Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xA6BA9000 Size: 8960 File Visible: No Signed: -
Status: -
Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBAC70000 Size: 20480 File Visible: No Signed: -
Status: -
Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xB460D000 Size: 61440 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xa6ba96d0
==EOF==
I will also add that when I attempt to scan the file system, it, like all the other scanners I've tried, goes for a little while and then just disappears.
Thanks,
BobbaLouie
BobbaLouie,
Your infected with a Rootkit thats preventing most security scanners from running.
This fix has to be done in stages as to no confuse you.
Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
BobbaLouie
2009-10-09, 19:25
Win32kDiag.txt contents:
Running from: C:\Documents and Settings\bobbalouie\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\bobbalouie\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB917953\KB917953
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\A6W_DATA\A6W_DATA
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VisualStudio\Microsoft.VisualStudio
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner.Mobile\Microsoft.VSDesigner.Mobile
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP233.tmp\ZAP233.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F5.tmp\ZAP2F5.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30E.tmp\ZAP30E.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP334.tmp\ZAP334.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\B2744950CD2492E41A16C2CC10A17EED\8.0.117\8.0.117
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\{F12D0979-B2E1-4FAE-B5E3-9A1E6D0D89B4}\{F12D0979-B2E1-4FAE-B5E3-9A1E6D0D89B4}
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-03 23:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\Temp\Patcher4728\Patcher4728
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\WMD\WMD
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Temp\WMFA\WMFA
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
Make sure you still have Win32kdiag on your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
BobbaLouie
2009-10-09, 20:08
Win32kDiag.txt:
Running from: c:\Documents and Settings\bobbalouie\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\bobbalouie\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB917953\KB917953
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB917953\KB917953
Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644
Found mount point : C:\WINDOWS\A6W_DATA\A6W_DATA
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\A6W_DATA\A6W_DATA
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VisualStudio\Microsoft.VisualStudio
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VisualStudio\Microsoft.VisualStudio
Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner.Mobile\Microsoft.VSDesigner.Mobile
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.VSDesigner.Mobile\Microsoft.VSDesigner.Mobile
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP233.tmp\ZAP233.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP233.tmp\ZAP233.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F5.tmp\ZAP2F5.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F5.tmp\ZAP2F5.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30E.tmp\ZAP30E.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP30E.tmp\ZAP30E.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP334.tmp\ZAP334.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP334.tmp\ZAP334.tmp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ftpcache\ftpcache
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\B2744950CD2492E41A16C2CC10A17EED\8.0.117\8.0.117
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\B2744950CD2492E41A16C2CC10A17EED\8.0.117\8.0.117
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63
Found mount point : C:\WINDOWS\Installer\{F12D0979-B2E1-4FAE-B5E3-9A1E6D0D89B4}\{F12D0979-B2E1-4FAE-B5E3-9A1E6D0D89B4}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\{F12D0979-B2E1-4FAE-B5E3-9A1E6D0D89B4}\{F12D0979-B2E1-4FAE-B5E3-9A1E6D0D89B4}
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-03 23:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\Temp\Patcher4728\Patcher4728
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\Patcher4728\Patcher4728
Found mount point : C:\WINDOWS\Temp\WMD\WMD
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\WMD\WMD
Found mount point : C:\WINDOWS\Temp\WMFA\WMFA
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\WMFA\WMFA
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Finished!
Great :)
You downloaded and ran exehelper before but because of this rootkit it most likely did not run properly. Drag it to the trash and download a fresh copy and run it please.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
BobbaLouie
2009-10-09, 20:34
exehelperlog.txt:
exeHelper by Raktor - 09
Build 20090925
Run at 12:33:37 on 10/09/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
What we have done so far is not remove the Rootkit, but chipping away at it so that we will be able to run a tool that will remove it.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
BobbaLouie
2009-10-09, 21:49
Everything ran correctly. Here is ComboFix.txt, hijackthis log will follow in the next post.
ComboFix 09-10-08.04 - bobbalouie 10/09/2009 13:22.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1110 [GMT -5:00]
Running from: c:\documents and settings\bobbalouie\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {BE118821-8C29-4952-9C0D-E9BE86BF23D1}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {BE118821-8C29-4952-9C0D-E9BE86BF23D1}
FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {E97937E6-2DD6-4F7D-9A3B-8C4D660B0CDF}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\bobbalouie\Local Settings\Temporary Internet Files\AllModuleInfo.txt
C:\install.exe
c:\recycler\S-1-5-21-583907252-2139871995-725345543-500
c:\windows\AUTOLNCH.REG
c:\windows\win32k.sys
----- BITS: Possible infected sites -----
hxxp://usslmcli001.net.plm.eds.com
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Legacy_R_SERVER
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_npf
-------\Service_r_server
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.
2009-10-09 18:32 . 2009-10-09 18:32 -------- d-----w- c:\temp\WPDNSE
2009-10-09 18:31 . 2009-10-09 18:31 53248 ----a-w- c:\temp\catchme.dll
2009-10-09 18:31 . 2009-07-27 06:45 296224 ----a-w- c:\temp\IP9A72.EXE
2009-10-09 18:30 . 2009-10-09 18:30 16384 ----atw- c:\temp\Perflib_Perfdata_48c.dat
2009-10-09 14:18 . 2009-10-09 14:19 -------- d-----w- c:\temp\plugtmp-2
2009-10-09 00:08 . 2009-10-09 00:08 -------- d-----w- c:\temp\RarSFX8
2009-10-09 00:08 . 2009-10-09 00:08 -------- d-----w- c:\temp\RarSFX7
2009-10-09 00:08 . 2009-10-09 00:08 -------- d-----w- c:\temp\RarSFX6
2009-10-08 23:44 . 2009-10-08 23:44 -------- d-----w- c:\temp\RarSFX5
2009-10-08 22:36 . 2009-10-08 22:36 -------- d-----w- c:\program files\Sophos
2009-10-07 22:27 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-07 22:26 . 2009-10-07 22:29 -------- d-----w- c:\program files\Malwareremoval
2009-10-07 22:26 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\Malwarebytes
2009-10-07 22:23 . 2009-10-07 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 22:16 . 2009-10-09 18:26 -------- d-----w- c:\temp\RarSFX4
2009-10-07 22:15 . 2009-10-07 22:15 -------- d-----w- c:\temp\RarSFX3
2009-10-07 22:14 . 2009-10-09 18:26 -------- d-----w- c:\temp\RarSFX2
2009-10-07 22:14 . 2009-10-07 22:14 -------- d-----w- c:\temp\RarSFX1
2009-10-07 22:14 . 2009-10-07 22:14 -------- d-----w- c:\temp\RarSFX0
2009-10-07 21:51 . 2009-10-07 21:51 -------- d-----w- c:\program files\ERUNT
2009-10-07 21:42 . 2009-10-07 21:47 -------- d-----w- c:\program files\blaaaaa
2009-10-07 21:32 . 2009-10-07 21:38 -------- d-----w- c:\program files\blaaa
2009-10-07 21:18 . 2009-10-07 21:34 -------- d-----w- c:\program files\blaaaa
2009-10-06 16:26 . 2009-10-06 16:27 -------- d-----w- c:\temp\plugtmp-1
2009-10-06 15:47 . 2009-10-06 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-06 15:46 . 2009-10-06 15:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-06 15:46 . 2009-10-06 15:46 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\SUPERAntiSpyware.com
2009-10-06 15:46 . 2009-10-06 15:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-06 13:49 . 2009-10-06 15:41 -------- d-----w- C:\$AVG8.VAULT$
2009-10-05 23:52 . 2009-10-06 15:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 23:52 . 2009-10-06 15:23 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 23:52 . 2009-10-05 23:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 23:52 . 2009-10-06 15:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 23:52 . 2009-10-09 13:55 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-05 23:52 . 2009-10-05 23:52 -------- d-----w- c:\program files\AVG
2009-10-05 23:52 . 2009-10-05 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-05 23:51 . 2009-10-05 23:53 -------- d-----w- c:\temp\7zS1.tmp
2009-10-05 19:17 . 2009-10-05 20:59 -------- d-----w- c:\program files\blaa
2009-10-05 18:38 . 2009-10-07 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 18:38 . 2009-10-05 19:03 -------- d-----w- c:\program files\bla
2009-10-04 17:38 . 2009-10-04 17:38 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\Office Genuine Advantage
2009-10-02 17:26 . 2009-10-02 17:26 -------- d-----w- c:\program files\Pano2VR
2009-10-01 21:12 . 2009-10-01 23:16 -------- d-----w- c:\temp\C__DOCUME~1_bobbalouie_APPLIC~1_IDMComp_ULTRAE~1_QUARK_~1.TXT0
2009-09-29 19:38 . 2009-10-05 18:40 -------- d-----w- c:\temp\Nkn3D7.tmp
2009-09-29 19:36 . 2009-10-05 18:40 -------- d-----w- c:\temp\Nkn3D5.tmp
2009-09-29 19:35 . 2009-10-05 18:40 -------- d-----w- c:\temp\Nkn3D3.tmp
2009-09-28 22:50 . 2009-10-01 16:19 -------- d-----w- c:\temp\ipx420.IPIXIS
2009-09-28 22:49 . 2004-07-14 17:54 676864 ----a-w- c:\windows\system32\drivers\hardlock.sys
2009-09-28 22:49 . 2009-09-28 22:49 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-09-28 22:49 . 2009-09-28 22:49 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-09-28 22:49 . 2009-09-28 22:49 383 ----a-w- c:\windows\system32\haspdos.sys
2009-09-28 22:49 . 2009-09-28 22:49 -------- d-----w- c:\windows\occache
2009-09-28 22:49 . 2005-07-11 22:52 588288 ----a-w- c:\windows\system32\Ipx32d56.dll
2009-09-28 22:49 . 2009-09-28 22:50 -------- d-----w- c:\program files\Common Files\iPIX
2009-09-28 22:49 . 2005-07-11 22:52 729088 ----a-w- c:\windows\system32\Ipx32_56.dll
2009-09-28 22:49 . 2005-07-11 22:52 448000 ----a-w- c:\windows\system32\MM32DCMP.DLL
2009-09-28 22:49 . 2009-09-28 22:49 -------- d-----w- c:\program files\iPIX
2009-09-24 15:51 . 2009-09-24 15:53 -------- d-----w- c:\temp\ge4264
2009-09-24 03:31 . 2009-09-24 03:31 207640 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-23 16:57 . 2009-09-23 16:57 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\ArGoSoft
2009-09-23 16:55 . 2009-09-23 16:55 -------- d-----w- c:\documents and settings\bobbalouie\Local Settings\Application Data\Apple_Inc
2009-09-23 16:31 . 2009-09-23 16:31 -------- d-----w- c:\program files\iPod
2009-09-23 16:31 . 2009-09-23 16:32 -------- d-----w- c:\program files\iTunes
2009-09-23 16:20 . 2009-09-23 16:20 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-22 15:08 . 2009-09-22 15:08 -------- d-----w- c:\program files\Easypano
2009-09-17 19:30 . 2009-09-23 23:26 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\SQLyog
2009-09-17 19:30 . 2009-09-17 19:30 -------- d-----w- c:\program files\SQLyog Community
2009-09-15 21:31 . 2009-09-15 21:32 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\TrueCrypt
2009-09-15 21:30 . 2009-09-15 21:30 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-09-15 21:30 . 2009-09-15 21:30 -------- d-----w- c:\program files\TrueCrypt
2009-09-09 22:47 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 20:05 . 2009-09-09 20:05 62632 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-09 18:33 . 2009-09-09 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 18:03 . 2005-11-30 15:33 -------- d-----w- c:\program files\Mobile Automation
2009-10-09 15:04 . 2006-09-08 14:52 -------- d-----w- c:\program files\stt
2009-10-08 15:29 . 2008-06-10 19:43 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\FileZilla
2009-10-07 23:13 . 2006-05-23 12:12 -------- d-----w- c:\program files\Trend Micro
2009-10-05 21:42 . 2006-11-08 20:46 -------- d-----w- c:\program files\Opera
2009-10-05 21:41 . 2007-03-30 16:45 -------- d-----w- c:\program files\Neat Image
2009-10-02 21:56 . 2008-02-20 00:09 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\MySQL
2009-10-02 17:27 . 2009-01-22 18:08 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\GardenGnomeSoftware
2009-09-29 19:38 . 2006-09-18 20:39 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLbz.DAT
2009-09-23 16:31 . 2007-07-12 22:35 -------- d-----w- c:\program files\Common Files\Apple
2009-09-09 23:00 . 2006-09-06 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-09 22:52 . 2009-08-03 18:57 -------- d-----w- c:\program files\Java
2009-09-09 18:46 . 2006-09-18 15:49 -------- d-----w- c:\documents and settings\bobbalouie\Application Data\Apple Computer
2009-08-31 18:21 . 2009-07-24 14:11 -------- d-----w- c:\program files\Free Video Converter
2009-08-29 00:42 . 2008-09-10 15:41 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2007-11-13 17:12 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-24 19:54 . 2006-09-18 20:16 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-08-24 19:54 . 2007-01-29 16:16 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLeh.DAT
2009-08-10 18:33 . 2006-09-18 14:11 81320 ----a-w- c:\documents and settings\bobbalouie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-07 00:24 . 2005-11-29 16:19 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-11-29 16:19 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2006-05-09 14:50 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2005-11-29 16:19 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-11-29 16:19 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-04 04:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2005-11-29 16:19 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2008-01-22 21:01 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2008-01-22 21:01 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2005-11-29 16:19 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 04:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 10:23 . 2009-08-03 18:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 04:56 58880 ------w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 04:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2007-07-09 21:30 . 2007-07-09 21:30 57344 -c--a-w- c:\program files\internet explorer\plugins\PluginWrapper.dll
2005-07-11 22:52 . 2009-09-28 22:49 32768 ----a-w- c:\program files\mozilla firefox\plugins\appsub32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMMUNICATOR"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 5803368]
"wben"="c:\program files\Starfield\Desktop Notifier\wben.exe" [2009-06-25 338456]
"\\192.168.1.116\EPSON NX300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE" [2008-01-21 188928]
"HijackThis startup scan"="d:\install\spybot\HijackThis.exe" [2009-10-07 401720]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\apps\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-01-09 868352]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-07-27 718120]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SIECACST"="c:\program files\Siemens\CardOS API\bin\siecacst.exe" [2007-08-02 81920]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"QuickTime Task"="c:\apps\QuickTime\qttask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-04 7204864]
"EPM Agent"="c:\progra~1\MOBILE~1\rstate.exe" [2006-05-26 94208]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-11-04 1519616]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 5803368]
"MSMSGS"="c:\progra~1\MESSEN~1\Msmsgs.exe" [2005-09-01 1658592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Install Pending Files.LNK - c:\program files\PTPNDFLS\PTPNDFLS.EXE [2006-9-6 1695744]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-1-9 41041]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-9-18 118784]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-06 15:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\apps\\MSOffice\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 6:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 6:52 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 6:52 PM 297752]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;c:\program files\Mobile Automation\rstate.exe [11/30/2005 10:33 AM 94208]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [11/9/2005 8:34 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/9/2005 8:34 PM 36368]
R2 wsnm;VMware VDM Client Service;c:\program files\VMware\VMware VDM\Client\bin\wsnm.exe [5/8/2008 6:51 PM 131072]
R3 cxbu0wdm;CardMan 3x21;c:\windows\system32\drivers\cxbu0wdm.sys [1/15/2008 1:39 PM 97792]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [9/6/2006 5:11 PM 11113]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [11/23/2007 4:15 PM 338960]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [3/31/2008 12:51 PM 488768]
R3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\WSUSBDMAN.sys [5/8/2008 6:45 PM 21504]
S2 gupdate1c98bcf40f039ca;Google Update Service (gupdate1c98bcf40f039ca);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2009 5:31 PM 133104]
S2 SttService;Stt Services;c:\windows\SttService.exe [5/19/2009 1:20 PM 36923]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [9/6/2006 5:11 PM 782336]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [9/6/2006 5:11 PM 216459]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4E9.tmp --> c:\windows\system32\4E9.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 SIWIO;SIW low-level I/O driver;\??\c:\windows\TEMP\SiwIo.sys --> c:\windows\TEMP\SiwIo.sys [?]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [3/31/2008 12:51 PM 652552]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MDM
*NewlyCreated* - OSE
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2008-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 22:30]
2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-10 22:30]
2009-10-08 c:\windows\Tasks\stt_inv_report_24.job
- c:\program files\stt\stt_report_controller.bat [2006-09-08 13:52]
2009-10-09 c:\windows\Tasks\User_Feed_Synchronization-{1F129A1B-6685-4148-8FB7-5609AA0C6559}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://infoweb.ugs.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\apps\MSOffice\Office12\EXCEL.EXE/3000
Trusted Zone: swserve
Trusted Zone: ugs.com
TCP: {BA8A4B2F-E44F-4BF5-B0ED-54F7D46E3501} = 134.244.252.169,146.122.6.16
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - hxxp://www.ipix.com/viewers/ipixx.cab
FF - ProfilePath - c:\documents and settings\bobbalouie\Application Data\Mozilla\Firefox\Profiles\279ww07z.default\
FF - prefs.js: browser.startup.homepage - hxxp://infoweb.ugs.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: c:\apps\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npipx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPipxLicenseRetriever.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-Guitar Leads - d:\program files\Guitar-Leads.com\uninst.exe
AddRemove-WZCLINE - c:\apps\WinZip\winzip32
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 13:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4E9.tmp"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"d:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"d:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@DACL=(02 0011)
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@DACL=(02 0011)
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@DACL=(02 0011)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1324)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\apps\Hummingbird\Hummingbird Neighborhood\heshell.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Hummingbird\Connectivity\10.00\Inetd\inetd32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Trend Micro\OfficeScan Client\NTRtScan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\tcpsvcs.exe
c:\program files\Trend Micro\OfficeScan Client\TmListen.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\temp\IP9A72.EXE
C:\Updater.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-09 13:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 18:41
Pre-Run: 512,024,576 bytes free
Post-Run: 1,278,980,096 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
382 --- E O F --- 2009-10-04 17:31
BobbaLouie
2009-10-09, 21:50
Here is HijackThis.log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:04 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\10.00\Inetd\inetd32.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\mobile automation\rstate.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\TEMP\IP9A72.EXE
C:\apps\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Updater.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
D:\Install\spybot\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://infoweb.ugs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\apps\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKCU\..\Run: [COMMUNICATOR] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [\\192.168.1.116\EPSON NX300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE /FU "C:\Temp\E_S2D4.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [HijackThis startup scan] D:\Install\spybot\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\apps\MSOffice\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\apps\MSOffice\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://infoweb.ugs.com/
O15 - Trusted Zone: http://*.swserve
O15 - Trusted Zone: http://*.ugs.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://ugsuniv.ugs.com/courses/hr/installs/authorware_player/cab/awswaxd.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = net.plm.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA8A4B2F-E44F-4BF5-B0ED-54F7D46E3501}: NameServer = 134.244.252.169,146.122.6.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1c98bcf40f039ca) (gupdate1c98bcf40f039ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\10.00\Inetd\inetd32.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Stt Services (SttService) - Unknown owner - C:\WINDOWS\SttService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware VDM Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe
--
End of file - 15006 bytes
I need a bit of time to go over your Combofix log, in the meantime do this.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
How are things running now ??
BobbaLouie
2009-10-09, 23:35
Ken545,
Things are running MUCH better now, I can't thank you enough. The help you provide here is commendable, kudos to you and your brethren for all the work in ridding the world of this crap-ware.
I know I'm going to hit that 'donate' button, and contribute to the cause. I would urge all others reading this thread to do the same!
BobbaLouie
Here are the new results from Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:05 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\Hummingbird\Connectivity\10.00\Inetd\inetd32.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\mobile automation\rstate.exe
D:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SttService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\TEMP\JL955E.EXE
C:\apps\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Updater.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\apps\MSOffice\Office12\OUTLOOK.EXE
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Malwareremoval\mbam.exe
c:\uedit\Uedit32.exe
D:\Install\spybot\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://infoweb.ugs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\apps\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SIECACST] C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\apps\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\MOBILE~1\rstate.exe /LOGON
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwareremoval\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [COMMUNICATOR] "c:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [\\192.168.1.116\EPSON NX300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE /FU "C:\Temp\E_S2D4.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [HijackThis startup scan] D:\Install\spybot\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\apps\MSOffice\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\apps\MSOffice\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://infoweb.ugs.com/
O15 - Trusted Zone: http://*.swserve
O15 - Trusted Zone: http://*.ugs.com
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://ugsuniv.ugs.com/courses/hr/installs/authorware_player/cab/awswaxd.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {87BF5318-D5F0-41F4-9D14-47967FA8C12B} - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = net.plm.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA8A4B2F-E44F-4BF5-B0ED-54F7D46E3501}: NameServer = 134.244.252.169,146.122.6.16
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = net.plm.eds.com,ugs.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1c98bcf40f039ca) (gupdate1c98bcf40f039ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\System32\Hummingbird\Connectivity\10.00\Inetd\inetd32.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Stt Services (SttService) - Unknown owner - C:\WINDOWS\SttService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VMware VDM Client Service (wsnm) - VMware, Inc. - C:\Program Files\VMware\VMware VDM\Client\bin\wsnm.exe
--
End of file - 15402 bytes
BobbaLouie
2009-10-09, 23:36
Oh, yeah....Mbam scan found nothing. Here is the log:
Malwarebytes' Anti-Malware 1.41
Database version: 2932
Windows 5.1.2600 Service Pack 3
10/9/2009 3:11:52 PM
mbam-log-2009-10-09 (15-11-52).txt
Scan type: Quick Scan
Objects scanned: 227474
Time elapsed: 7 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
BobbaLouie,
Thank you for for your kind words. :)
You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
C:\TEMP <--Delete everything inside this folder but not the folder itself
c:\windows\system32\4E9.tmp <-- Delete this file
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
c:\windows\SttService.exe <--This file
As a final check, run this free online virus scanner, it may take awhile so go grab a cup of coffee :rolleyes:
Please run this free online virus scanner from ESET (http://www.eset.eu/online-scanner)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
BobbaLouie
2009-10-10, 02:08
I was not able to delete all the files from C:\Temp, several files are left behind saying they are in use:
Directory of C:\Temp
10/09/2009 06:03 PM <DIR> .
10/09/2009 06:03 PM <DIR> ..
10/09/2009 04:06 PM <DIR> 7zS1A.tmp
10/09/2009 06:01 PM 5,572 Edit.000
10/09/2009 05:23 PM 0 etilqs_rvrS8KdnqbWqvL8RWDkX
10/09/2009 06:01 PM 383 exehelperlog.000
10/09/2009 03:55 PM 0 ib3.tmp
10/09/2009 03:55 PM 0 ib4.tmp
10/09/2009 03:55 PM 0 ib5.tmp
10/09/2009 03:55 PM 0 ib6.tmp
10/09/2009 03:55 PM 0 ib7.tmp
10/09/2009 03:54 PM 16,384 Perflib_Perfdata_228.dat
10/09/2009 01:30 PM 0 STTService.log
07/27/2009 01:45 AM 296,224 SZ3F80.EXE
10/09/2009 06:01 PM 29,218 Win32kDiag.000
10/09/2009 06:02 PM 49,152 ~DF15F6.tmp
10/09/2009 06:02 PM 512 ~DF15FD.tmp
10/09/2009 06:02 PM 16,384 ~DF168D.tmp
10/09/2009 06:02 PM 512 ~DF1694.tmp
10/09/2009 06:02 PM 49,152 ~DF1777.tmp
10/09/2009 06:02 PM 512 ~DF177E.tmp
10/09/2009 06:02 PM 16,384 ~DFB200.tmp
10/09/2009 06:02 PM 16,384 ~DFC01C.tmp
20 File(s) 496,773 bytes
VirusTotal returned this info for STTService.exe:
File SttService.exe received on 2009.10.09 22:58:58 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.09 -
AhnLab-V3 5.0.0.2 2009.10.09 -
AntiVir 7.9.1.35 2009.10.09 -
Antiy-AVL 2.0.3.7 2009.10.09 -
Authentium 5.1.2.4 2009.10.10 -
Avast 4.8.1351.0 2009.10.09 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.10 -
CAT-QuickHeal 10.00 2009.10.09 -
ClamAV 0.94.1 2009.10.09 -
Comodo 2552 2009.10.09 -
DrWeb 5.0.0.12182 2009.10.09 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7060 2009.10.09 -
F-Prot 4.5.1.85 2009.10.10 -
F-Secure 8.0.14470.0 2009.10.09 -
Fortinet 3.120.0.0 2009.10.10 -
GData 19 2009.10.10 -
Ikarus T3.1.1.72.0 2009.10.09 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.866 2009.10.09 -
Kaspersky 7.0.0.125 2009.10.10 -
McAfee 5766 2009.10.09 -
McAfee+Artemis 5766 2009.10.09 -
McAfee-GW-Edition 6.8.5 2009.10.10 Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft 1.5101 2009.10.10 -
NOD32 4494 2009.10.09 -
Norman 6.01.09 2009.10.09 -
nProtect 2009.1.8.0 2009.10.09 -
Panda 10.0.2.2 2009.10.09 -
PCTools 4.4.2.0 2009.10.09 -
Prevx 3.0 2009.10.10 -
Rising 21.50.44.00 2009.10.09 -
Sophos 4.45.0 2009.10.10 -
Sunbelt 3.2.1858.2 2009.10.09 -
Symantec 1.4.4.12 2009.10.10 -
TheHacker 6.5.0.2.035 2009.10.10 -
TrendMicro 8.950.0.1094 2009.10.09 -
VBA32 3.12.10.11 2009.10.09 -
ViRobot 2009.10.9.1978 2009.10.09 -
VirusBuster 4.6.5.0 2009.10.09 -
Additional information
File size: 36923 bytes
MD5...: 5fd5a7629f13b9068aa4b80996a89914
SHA1..: ad4f588bc9254058db36db91e34cae7cc410a14b
SHA256: 292107b7d538e685e8271fdefd68e0434248ee4f77868baabf43c1ccb95ec947
ssdeep: 768:4R5UCYlDe7r5Q1M+5rFsoJdclf334jVqhTA4MPv2Nl06dMy:4R5UCYsn5Q1M
yJs6dclfYjVq5MPOBdn
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x6eb0
timedatestamp.....: 0x4a1d9d99 (Wed May 27 20:07:53 2009)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x665c 0x6800 6.22 0a6e11243df2e09730e6e8fd8b846fc6
.data 0x8000 0x2944 0x1c00 5.13 3cce51bd940ac487591ed31afcb0d588
.rsrc 0xb000 0x7a4 0x800 1.43 25f5d91fd7c6aca74ca11fcdef0c4863
( 5 imports )
> MSVCRT.dll: _except_handler3, memcmp
> WS2_32.dll: -, -, WSASend, -, WSASendTo, WSARecv, WSARecvFrom, -, -, -, WSAIoctl, WSAResetEvent, WSAEnumNetworkEvents, WSAGetOverlappedResult, WSAEventSelect, -, -, -, WSACreateEvent, -, -, -, WSACloseEvent, -, -
> KERNEL32.dll: GetLastError, SetLastError, GetTickCount, SetProcessWorkingSetSize, GetCurrentProcess, TerminateProcess, CloseHandle, TerminateJobObject, CompareFileTime, GetFileAttributesExA, CreateFileA, WriteFile, SetFileTime, GetExitCodeProcess, MultiByteToWideChar, AssignProcessToJobObject, CreateProcessA, CreateJobObjectA, GetModuleFileNameA, Sleep, OpenEventA, FreeLibrary, GetProcAddress, LoadLibraryA, ReadFile, TerminateThread, CreateThread, SetHandleInformation, CreatePipe, GetStdHandle, FormatMessageA, GetSystemTime, ExitProcess, HeapAlloc, HeapFree, ExpandEnvironmentStringsA, ResetEvent, WaitForMultipleObjects, CreateEventA, CreateDirectoryA, GetFileAttributesA, SetFilePointer, SetEvent, SetErrorMode, FreeResource, LockResource, LoadResource, FindResourceA, GetCommandLineA, GetProcessHeap
> USER32.dll: CloseWindowStation, CloseDesktop, OpenDesktopA, SetProcessWindowStation, OpenWindowStationA, GetProcessWindowStation, SetUserObjectSecurity, GetUserObjectSecurity, wvsprintfA, wsprintfA, MessageBoxA
> ADVAPI32.dll: CopySid, GetLengthSid, GetTokenInformation, SetSecurityDescriptorDacl, AddAccessAllowedAce, AddAccessAllowedAceEx, AddAce, InitializeAcl, InitializeSecurityDescriptor, EqualSid, GetAce, GetAclInformation, GetSecurityDescriptorDacl, CryptExportKey, CryptGenKey, CryptAcquireContextA, CryptDecrypt, CryptReleaseContext, CryptDestroyKey, CreateProcessAsUserA, LogonUserA, CreateProcessWithLogonW, StartServiceA, CloseServiceHandle, CreateServiceA, OpenSCManagerA, DeleteService, ControlService, OpenServiceA, ReportEventA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenEventLogA, StartServiceCtrlDispatcherA
( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
I'm going to launch the ESET scanner now, I'll post later with the results.
Thanks again,
BobbaLouie
BobbaLouie
2009-10-10, 06:37
ESET scan looks pretty clean, I'm thinking the file it found is related to the junk we already cleaned off.
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=9993e06115621d47ac362df14d2eaa51
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-10-10 01:06:11
# local_time=2009-10-09 08:06:11 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1026 21 83 97 144112812500
# scanned=181244
# found=1
# cleaned=1
# scan_time=6212
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Good Morning,
ESET scan looks pretty clean, I'm thinking the file it found is related to the junk we already cleaned off.:bigthumb:
Boot to safemode and empty the C:\temp folder
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Reboot and lets flush out system restore so you dont reinfect yourself
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
How is your system behaving now ??
BobbaLouie
2009-10-12, 17:37
Safe mode allowed cleaning of C:\Temp.
Restore points deleted and a new one created.
I'm thinking things are pretty clean now, my system seems to be back to it's usual state before all this happened.
I'll tell ya....I was so frustrated before posting here that I actually had the XP disk in and was ready to reinstall windows. I'm glad I posted here first and I really appreciate all your help in getting me back without a reinstall.
Thanks again,
BobbaLouie.
Your very welcome. Glad things are back to normal :bigthumb:
You can delete all the tools we used at the beginning of this thread, RootRepeal, Win32kdiag, exehelper. Here is info on the rest of them.
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken