View Full Version : Can't get Virtumonde.prx trojan off my computer
freder1ck
2010-10-21, 20:52
Spy-bot S&D caught it but it still keeps popping up. Won't clean it.
Here is the log:
DDS (Ver_10-10-10.03) - NTFSx86
Run by Compaq_Owner at 21:44:14.96 on Wed 10/20/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.332 [GMT -5:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
f:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Fred Pics\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://news.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Fqibinag] rundll32.exe "c:\windows\sgmsau.dll",Startup
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [PCDrProfiler]
mRun: [hpqSRMon]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Bladegifop] rundll32.exe "c:\windows\ekilimel.dll",Startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
=============== Created Last 30 ================
2010-10-19 06:00:35 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{bc45fed6-0281-4ab7-822b-24316d970d29}\mpengine.dll
2010-10-19 01:24:57 0 ----a-w- c:\windows\Qworof.bin
2010-10-19 01:24:54 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\{D65B0306-13C7-4295-A32B-C2C9310980C2}
2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11:42 796672 ----a-w- c:\windows\system32\drivers\umdf\ZuneDriver.dll
2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 17:06:10 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
==================== Find3M ====================
2010-10-21 02:19:24 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-27 23:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 23:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
============= FINISH: 21:45:46.92 ===============
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:
Step # 1 Download and run DDS
Download DDS and save it to your desktop from here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.com)
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Step # 2: Download and Run Gmer
Please download gmer.zip (http://www.gmer.net/gmer.zip) from Gmer and save it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
In your next post/reply, I need to see the following:
1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
Use multiple posts if you can't fit everything into one post
freder1ck
2010-10-27, 17:28
Here are the DDS files requested (see below & attached zip file). When I tried to run GMER, this is what I got when it seemed to have finished the scan:
Windows - Delayed Write Failed
Windows was unable to save all the data for the file \Device\Harddisk\Volume2\$Mft. The data has been lost. This error may have been caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
There were errors like this one with about 4 other files. When I tried to save the log to my desktop, it locked up & wouldn't save or cancel, so I lost it. I will attempt to re-run it & post it. (It may take awhile.)
DDS (Ver_10-10-21.02) - NTFSx86
Run by Compaq_Owner at 19:14:15.40 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.299 [GMT -5:00]
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
f:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Compaq_Owner\Desktop\Fred Pics\dds (1).scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://news.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [PCDrProfiler]
mRun: [hpqSRMon]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Bladegifop] rundll32.exe "c:\windows\ekilimel.dll",Startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
=============== Created Last 30 ================
2010-10-23 22:42:34 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6733bc39-b0c4-4068-b54c-d9854869d80d}\mpengine.dll
2010-10-19 01:24:57 0 ----a-w- c:\windows\Qworof.bin
2010-10-19 01:24:54 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\{D65B0306-13C7-4295-A32B-C2C9310980C2}
2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-10-25 17:49:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 19:15:51.84 ===============
There were errors like this one with about 4 other files. When I tried to save the log to my desktop, it locked up & wouldn't save or cancel, so I lost it. I will attempt to re-run it & post it. (It may take awhile.)
Ok, if you're unable to a GMER Log when running it a 2nd time, let me know and we'll try another rootkit scanner.
freder1ck
2010-10-27, 23:58
Got the GMER to run successfully this time. Note: I have more than 1 hard drive on this computer, thought I should mention it in case that is important. (BTW,thanks for all your help.)
Here are the results:
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-27 15:52:59
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pglyqpow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b@0012d11e226a 0x89 0xC5 0x27 0xC8 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b@0012d11e226a 0x89 0xC5 0x27 0xC8 ...
---- EOF - GMER 1.0.15 ----
Step # 1: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* IMPORTANT !!! Save ComboFix.exe to your Desktop
When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
freder1ck
2010-10-28, 07:12
Here is the ComboFix log:
ComboFix 10-10-26.04 - Compaq_Owner 10/27/2010 20:59:04.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.466 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Compaq_Owner\Application Data\avdrn.dat
c:\documents and settings\Compaq_Owner\g2mdlhlpx.exe
c:\documents and settings\Compaq_Owner\Recent\Thumbs.db
D:\Autorun.inf
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.
2010-10-23 22:42 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6733BC39-B0C4-4068-B54C-D9854869D80D}\mpengine.dll
2010-10-19 01:24 . 2010-10-20 01:38 0 ----a-w- c:\windows\Qworof.bin
2010-10-19 01:24 . 2010-10-19 01:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{D65B0306-13C7-4295-A32B-C2C9310980C2}
2010-10-18 19:10 . 2010-10-18 19:10 -------- d-----w- c:\program files\iPod
2010-10-18 19:10 . 2010-10-18 19:11 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04 . 2010-10-18 19:04 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-BR
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-PT
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\nl-NL
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\it-IT
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\de-DE
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\fr-FR
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\es-ES
2010-10-15 15:53 . 2010-10-15 15:53 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2010-10-14 16:30 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-12-02 00:16 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-12-02 06:54 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2010-09-24 18:19 . 2010-09-24 18:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19 . 2010-09-24 18:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:14 . 2010-09-24 17:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
2010-09-24 17:11 . 2010-09-24 17:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11 . 2010-09-24 17:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11 . 2010-09-24 17:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11 . 2010-09-24 17:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11 . 2010-09-24 17:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11 . 2010-09-24 17:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll
2010-09-24 17:11 . 2010-09-24 17:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11 . 2010-09-24 17:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 17:06 . 2010-09-24 17:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
2010-09-24 16:31 . 2009-08-17 17:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-01-28 14:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2008-01-28 14:16 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2008-01-28 14:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-01-28 14:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2008-01-28 14:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-01-28 16:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-01-28 14:20 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-01-28 14:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-01-28 14:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-01-28 14:18 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 00:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-01-28 16:34 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-01-28 14:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-01-28 14:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-29 02:40 . 2008-03-29 02:40 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-03-29 02:40 . 2008-03-29 02:40 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-03-29 02:40 . 2008-03-29 02:40 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-27 198160]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-06 1015808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\iWin Games\\iWinGames.exe"=
"f:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 iWinTrusted;iWinTrusted;f:\program files\iWin Games\iWinTrusted.exe [7/9/2009 3:21 PM 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [11/21/2009 5:22 PM 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2010 11:35 PM 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\DRIVERS\BLKWGD.sys --> c:\windows\system32\DRIVERS\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 1:19 PM 268528]
--- Other Services/Drivers In Memory ---
*Deregistered* - pglyqpow
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]
2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]
2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-Bladegifop - c:\windows\ekilimel.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-__KITTY_LUV___is1 - c:\program files\Kitty Luv\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 21:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-27 21:34:50
ComboFix-quarantined-files.txt 2010-10-28 02:34
Pre-Run: 103,471,718,400 bytes free
Post-Run: 104,223,494,144 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 0F9E3BDFD9E6F337CC32BA9F8728F9F1
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
c:\windows\Qworof.bin
DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on freder1ck's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 2 has been completed.
2. A fresh DDS Log taken after Step 2 has been completed.
freder1ck
2010-10-29, 21:38
OK, here is the 2nd ComboFix log (and underneath that the fresh DDS log):
ComboFix 10-10-26.04 - Compaq_Owner 10/29/2010 11:05:00.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.666 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FILE ::
"c:\windows\Qworof.bin"
.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))
.
2010-10-29 15:31 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5431F9F3-C2A4-46BB-8B39-BE6DDCAB2565}\mpengine.dll
2010-10-18 19:10 . 2010-10-18 19:10 -------- d-----w- c:\program files\iPod
2010-10-18 19:10 . 2010-10-18 19:11 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04 . 2010-10-18 19:04 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-BR
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-PT
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\nl-NL
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\it-IT
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\de-DE
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\fr-FR
2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\es-ES
2010-10-15 15:53 . 2010-10-15 15:53 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
2010-10-14 16:30 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2009-12-02 00:16 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2009-12-02 06:54 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
2010-09-24 18:25 . 2010-09-24 18:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
2010-09-24 18:19 . 2010-09-24 18:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19 . 2010-09-24 18:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:14 . 2010-09-24 17:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
2010-09-24 17:11 . 2010-09-24 17:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11 . 2010-09-24 17:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11 . 2010-09-24 17:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11 . 2010-09-24 17:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11 . 2010-09-24 17:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11 . 2010-09-24 17:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll
2010-09-24 17:11 . 2010-09-24 17:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11 . 2010-09-24 17:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 17:06 . 2010-09-24 17:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
2010-09-24 16:31 . 2009-08-17 17:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-01-28 14:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2008-01-28 14:16 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2008-01-28 14:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-01-28 14:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2008-01-28 14:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-01-28 16:34 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-01-28 14:20 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-01-28 14:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-01-28 14:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-01-28 14:18 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 00:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2008-01-28 16:34 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2008-01-28 14:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2008-01-28 14:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2008-03-29 02:40 . 2008-03-29 02:40 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-03-29 02:40 . 2008-03-29 02:40 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-03-29 02:40 . 2008-03-29 02:40 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-27 198160]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-06 1015808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"f:\\Program Files\\iWin Games\\iWinGames.exe"=
"f:\\Program Files\\iWin Games\\WebUpdater.exe"=
"c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R2 iWinTrusted;iWinTrusted;f:\program files\iWin Games\iWinTrusted.exe [7/9/2009 3:21 PM 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [11/21/2009 5:22 PM 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2010 11:35 PM 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\DRIVERS\BLKWGD.sys --> c:\windows\system32\DRIVERS\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 1:19 PM 268528]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
2010-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]
2010-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]
2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009Core.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009UA.job
- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-29 11:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\rundll32.exe
c:\program files\Portrait Displays\Pivot Software\floater.exe
c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Acer Display\eDisplay Management\DTHtml.exe
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ALCXMNTR.EXE
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
**************************************************************************
.
Completion time: 2010-10-29 11:26:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-29 16:26
ComboFix2.txt 2010-10-29 04:04
ComboFix3.txt 2010-10-28 02:34
Pre-Run: 105,828,130,816 bytes free
Post-Run: 105,819,549,696 bytes free
- - End Of File - - 1DD944FC28ACD7FD80AC4EB50C67E25C
Here is the DDS log taken after rerunning the ComboFix per your instructions. Also see attached file.
DDS (Ver_10-10-10.03) - NTFSx86
Run by Compaq_Owner at 12:10:57.10 on Fri 10/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.545 [GMT -5:00]
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
f:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ACT\ACT for Windows\Act8.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://news.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
=============== Created Last 30 ================
2010-10-29 17:05:22 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6c6fe288-8afd-48b7-92fd-b95ea101ace2}\mpengine.dll
2010-10-29 16:02:49 -------- d-----w- C:\ComboFix
2010-10-28 01:52:16 -------- d-sha-r- C:\cmdcons
2010-10-28 01:47:30 79872 ----a-w- c:\windows\MBR.exe
2010-10-28 01:47:30 256512 ----a-w- c:\windows\PEV.exe
2010-10-28 01:47:30 161792 ----a-w- c:\windows\SWREG.exe
2010-10-28 01:47:29 98816 ----a-w- c:\windows\sed.exe
2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-10-29 16:19:39 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 12:11:58.01 ===============
Step # 1 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u22 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 5
Java(TM) 6 Update 5
Java(TM) 6 Update 17
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Post the MalwareBytes' Log in your next post/reply.
freder1ck
2010-10-30, 04:30
I deleted the old Java versions and installed the latest version. Downloaded and ran the ATF Cleaner. Downloaded and ran the Malwarebytes' Anti-Malware and performed the quick scan. It found 1 infected file, which it disinfected, and I restarted the computer afterwards per its instruction. Here is the MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4994
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
10/29/2010 8:01:40 PM
mbam-log-2010-10-29 (20-01-40).txt
Scan type: Quick scan
Objects scanned: 152348
Time elapsed: 7 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\cpnprt2.cid (Trojan.Agent) -> Quarantined and deleted successfully.
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
freder1ck
2010-10-31, 22:56
"In your next post/reply, I need to see the following:
1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?"
1. Here is the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, October 31, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, October 31, 2010 01:06:37
Records in database: 4194713
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan statistics:
Objects scanned: 446218
Threats found: 15
Infected objects found: 55
Suspicious objects found: 0
Scan duration: 13:23:12
File name / Threat / Threats count
C:\Documents and Settings\Compaq_Owner\Desktop\Desktop Cleanup\vnc-4_1_2-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\I386\APPS\APP03696\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
D:\I386\APPS\APP03696\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.a 6
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Trojan-Downloader.Win32.Small.ciw 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Banwarum.l 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.h 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.k 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Trojan-Downloader.Win32.Tibs.jr 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Trojan-Downloader.Win32.Tibs.kj 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.u 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.cq 3
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.cs 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox Infected: Email-Worm.Win32.Zhelatin.ct 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Inbox.sbd\Real Deals Infected: Email-Worm.JS.Yamanner.a 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.a 6
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Trojan-Downloader.Win32.Small.ciw 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.h 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.k 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Trojan-Downloader.Win32.Tibs.jr 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Trojan-Downloader.Win32.Tibs.kj 1
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.u 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.cq 3
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.cs 2
F:\Documents and Settings\Compaq_Owner\Application Data\Thunderbird\Profiles\e1j60ono.default\Mail\pop.sbcglobal.yahoo.com\Junk Infected: Email-Worm.Win32.Zhelatin.ct 1
F:\Documents and Settings\Compaq_Owner\Local Settings\Temp\WebInstaller\Setup\SST\Data\VNC\MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 2
F:\hp\bin\wbug\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
G:\I386\Apps\APP16119\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
G:\I386\Apps\APP16119\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1
Selected area has been scanned.
2. Here is the fresh DDS log taken after running Kaspersky (also see attached file):
DDS (Ver_10-10-10.03) - NTFSx86
Run by Compaq_Owner at 15:32:44.31 on Sun 10/31/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.688 [GMT -5:00]
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
f:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://news.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9e.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
=============== Created Last 30 ================
2010-10-30 04:38:25 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e9fff3c0-1297-4071-a572-cd981858dda8}\mpengine.dll
2010-10-29 21:36:59 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-10-29 21:36:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 21:36:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-29 21:36:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-29 21:36:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-29 21:24:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-29 21:24:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-29 21:24:24 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-29 16:02:49 -------- d-----w- C:\ComboFix
2010-10-28 01:52:16 -------- d-sha-r- C:\cmdcons
2010-10-28 01:47:30 79872 ----a-w- c:\windows\MBR.exe
2010-10-28 01:47:30 256512 ----a-w- c:\windows\PEV.exe
2010-10-28 01:47:30 161792 ----a-w- c:\windows\SWREG.exe
2010-10-28 01:47:29 98816 ----a-w- c:\windows\sed.exe
2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
==================== Find3M ====================
2010-10-30 01:13:22 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
============= FINISH: 15:34:25.06 ===============
3. Because of the infection, I have used this machine very little, but it seems to be running more slowly than normal. Also, I had been using Firefox as my default browser but now it has flipped back to using IE as the default, & it appears I will need to reload Firefox as the computer says it cannot find it when I click on the icon. (It's also not showing the regular Firefox icon.) I am assuming that some of the fixes we tried may have caused this & that these are not real problems?
Since the computer is running slower than normal, try the tips located at the link below to see it helps any:
http://www.malwareremoval.com/tutorials/runningslowly.php
Also, I had been using Firefox as my default browser but now it has flipped back to using IE as the default, & it appears I will need to reload Firefox as the computer says it cannot find it when I click on the icon. (It's also not showing the regular Firefox icon.) I am assuming that some of the fixes we tried may have caused this & that these are not real problems?
After we ran ComboFix, it made IE the default browser instead of Firefox. Go ahead and reinstall Firefox and make the default browser again. :)
I'd also like for you to go into Thunderbird and delete every e-mail you no longer need that is in the Inbox. Also delete every e-mail that is in the Spam/Junk/Trash/Bulk folder.
Finally, go ahead and run Spybot again and let me know if it finds Virtumonde.prx.
freder1ck
2010-11-02, 04:01
Since the computer is running slower than normal, try the tips located at the link below to see it helps any:
http://www.malwareremoval.com/tutorials/runningslowly.php
After we ran ComboFix, it made IE the default browser instead of Firefox. Go ahead and reinstall Firefox and make the default browser again. :)
I'd also like for you to go into Thunderbird and delete every e-mail you no longer need that is in the Inbox. Also delete every e-mail that is in the Spam/Junk/Trash/Bulk folder.
Finally, go ahead and run Spybot again and let me know if it finds Virtumonde.prx.
Thanks for the tips link--these will help. Deleted Thunderbird entirely, as I haven't used it in some time & no longer need it. I ran Spybot again & it did not find Virtumonde.prx, so I think the fixes worked! Thank you for your patience and all your help- you have been a life saver.
Good to hear that Spybot didn't find virtumonde.prx.
If there are no more problems, you're good to go. :)
You can delete the following off of your computer:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /Uninstall & click OK
Empty your Recycle Bin.
You can reenable Teatimer.
Your version of Adobe Reader is out of date. Open up Adobe Reader, click Help then click Check for Updates. After its done checking for updates, have Adobe Reader download and install Adobe Reader 9.4.0
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.spybot.info/showthread.php?t=279)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
If your computer is running slow, click here (http://www.malwareremoval.com/tutorials/runningslowly.php) for instructions on how to help speed up your computer.
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
freder1ck
2010-11-02, 23:39
Per your instructions, I deleted:
DDS.scr
The two DDS Logs
GMER.zip
GMER.exe
The GMER Log
and uninstalled the ComboFix
I also uninstalled the Malwarebytes and deleted the ATF-Cleaner (hope that was OK). Emptied the recycle bin. Updated Adobe Reader (I'd been trying to do that regularly, but I will have to do it more often.) Made sure teatimer is back on & also real-time protection on Microsoft Security Essentials.
I established a new system restore point and removed the old ones per your instructions.
I checked IE & happily I already had all the settings set correctly per your instructions.
For antivirus right now I still have the Spybot S&D & Microsoft Security Essentials. I will install the SpywareBlaster tonight & will take a look to see if using hosts file is something I want to add.
I haven't been using IM, so if I do I will definitely use Trillian or Miranda.
I am still reading the articles- I PROMISE I will finish them & follow the tips. (I read everything.)
ONE FINAL QUESTION: I was using Firefox because I don't like IE & thought Firefox would be more secure, but what do you think about Google Chrome? Would that be more secure? Pros/cons?
Thanks again!
I also uninstalled the Malwarebytes and deleted the ATF-Cleaner (hope that was OK)
It was your choice to uninstall both MalwareBytes' and ATF Cleaner, which is fine. As for myself, I would have kept both installed. MalwareBytes' is an excellent spyware/malware removal tool that is frequently updated, often many times a day. And ATF Cleaner can be used every 2 weeks or so to help keep your computer free of the junk that can clutter/slow down a computer if the computer accumulates too much of it.
ONE FINAL QUESTION: I was using Firefox because I don't like IE & thought Firefox would be more secure, but what do you think about Google Chrome? Would that be more secure? Pros/cons?
Thanks again!
I've never used Chrome before, so I can't comment if its better or worse than either FireFox or IE. A browser is only secure as its user. Whatever browser you decide to use, you need to make sure its fully updated at all times. And be careful where you surf with it, don't click on every link you come across, especially ones you don't know and don't download/install any programs you yourself didn't download. :)
freder1ck
2010-11-03, 03:27
I didn't know that I could keep those on my system with what I have (unfortunately I'm not that computer savvy), but I'll just reinstall them. Thanks again!
You're welcome. I'm glad I was able to help you out. :)
Good luck and safe surfing!
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
Note: If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.