View Full Version : My PC is surfing the web without me :D
JD the DJ
2011-02-19, 16:54
Last week, after scanning and removal of malware acquired a few days earlier (with MBAM and Spybot S&D), and neither program was identifying any more threats, I performed a "final" scan using MBAM (just to be sure). During that scan, I noticed that MBAM was scanning a large number of files in the sub-folders of "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\...". I had never noticed this location before and thought it strange that so many trash files would be there (esp. after using CCleaner). So, I opened "My Computer" and watched as new files appeared in the sub-folders of "C:\Documents and Settings\NetworkService\...", the types of files one would expect to see if one was surfing the web. Yet, I did not have a browser open.
Despite what Microsoft Support told me (that this was normal and not to be worried about)... :banghead:
... I still feel that my PC is too young to surf the web on his own.
Thanks for your help.
Below is the DDS:
-------------------------------------------------------------
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Dana at 4:57:57.14 on Sat 02/19/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.93 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\downloads\TCPView\Tcpview.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dana\Local Settings\Temporary Internet Files\Content.IE5\YAJTCQ7Y\dds[1].scr
============== Pseudo HJT Report ===============
uSearch Page =
uSearch Bar =
uStart Page = hxxp://google.com/
BHO: AutorunsDisabled - No File
BHO: Yahoo! IE Suggest - No File
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\dana\applic~1\mozilla\firefox\profiles\e9buyb2s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {09574FAB-BD34-49B5-A2C4-6F9CB51FAA80} - c:\documents and settings\administrator.dbarker2\local settings\application data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}
============= SERVICES / DRIVERS ===============
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]
=============== Created Last 30 ================
2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist
==================== Find3M ====================
2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340810A rev.3.39 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F1685C]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f1ca38]; MOV EAX, [0x82f1cab4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F98AB8]
3 CLASSPNP[0xF8636FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x82FAC968]
5 ACPI[0xF85AD620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FACD98]
\Driver\atapi[0x82F670D8] -> IRP_MJ_CREATE -> 0x82F1685C
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST340810A_______________________________3.39____#463532423356504c202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F166A2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 5:01:50.20 ===============
Jack&Jill
2011-02-19, 19:50
Hello and welcome to Safer Networking.
I am currently assessing your situation and will be back with a fix for your problem as soon as possible.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.
Please be patient with me during this time.
Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
JD the DJ
2011-02-19, 20:38
OK.
Btw, I was unable to post to this forum using the infected PC.
Jack&Jill
2011-02-20, 10:38
Hello JD the DJ :),
Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.
Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.
--------------------
Btw, I was unable to post to this forum using the infected PC. Maybe you will need to transfer some files between computers using USB drive in case you still cannot post, so lets protect the good one first. From the good machine, please do the following.
Check USB storage devices / removable drives
Please download USBNoRisk© by bobby and save to your desktop. Click here. (http://amf.mycity.rs/personal/bobby/USBNoRisk/usbnorisk.exe)
Double click on usbnorisk.exe and wait a couple of seconds for the initial scan to finish.
Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
If there are more than one USB storage devices, please take note of the order they are connected.
When all the devices are plugged in and the scanning done, right click on any location in the white box where the results are shown and select Save log.
Click OK when prompted and a log will open. It is saved to C:\USBNoRisk\UsbNoRisk.txt.
Post the contents of that log in your reply and close the program.
--------------------
Please post back:
1. the USBNoRisk log
JD the DJ
2011-02-20, 13:37
OK, USBNoRisk installed on good machine.
Only connected 1 USB device (4GB)
---------------------------------------------------------------
USBNoRisk 2.7 (28 December 2010) by bobby
Started at 2/20/2011 3:28:09 AM
Searching for connected USB Mass storage...
----------------------------------------
========================================
Searching for other storage...
----------------------------------------
C: {70b2502c-d63c-11df-8327-806e6f6e6963}
D: {70b2502d-d63c-11df-8327-806e6f6e6963}
========================================
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 70b2502c-d63c-11df-8327-806e6f6e6963
No Desktop.ini files found on C:
----------------------------------------
No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 70b2502d-d63c-11df-8327-806e6f6e6963
----------------------------------------
Desktop.ini found at D:\boot\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
Desktop.ini found at D:\hp\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
Desktop.ini found at D:\RECOVERY\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
Desktop.ini found at D:\SOURCES\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
Desktop.ini found at D:\Windows\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
Desktop.ini found at D:\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
[ShellvRTF]
RTFPath="protect.ed"
IconIndex=1
[Language]
default="protect.english"
Arabic="protect.arabic"
Bulgarian="protect.bulgarian"
Catalan="protect.catalan"
Chinese_HongKong="protect.chinese hong kong"
Chinese_Simplified="protect.chinese simplified"
Chinese_Traditional="protect.chinese traditional"
Croatian="protect.croatian"
Czech="protect.czech"
Danish="protect.danish"
Dutch="protect.dutch"
Estonian="protect.estonian"
English="protect.english"
Finnish="protect.finnish"
French="protect.french"
German="protect.german"
Greek="protect.greek"
Hebrew="protect.hebrew"
Hungarian="protect.hungarian"
Italian="protect.italian"
Japanese="protect.japanese"
Korean="protect.korean"
Latvian="protect.latvian"
Lithuanian="Protect.lithuanian"
Norwegian (Bokmål)="protect.norwegian"
Polish="protect.polish"
Portuguese="protect.portuguese"
Portuguese_Brazilian="protect.portuguese brazilian"
Romanian="protect.romanian"
Russian="protect.russian"
Serbian_Latin="protect.serbian latin"
Slovak="protect.slovak"
Slovenian="protect.slovenian"
Spanish="protect.spanish"
Swedish="protect.swedish"
Thai="protect.thai"
Turkish="protect.turkish"
----------------------------------------
CLSID not found in registry
----------------------------------------
========================================
Initial scan finished!
========================================
New device connected at 2/20/2011 3:29:24 AM
Scanning for connected USB mass storage...
----------------------------------------
J: {4377fd62-3bf2-11e0-a90a-001e904a93df}
Added J:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on J:
----------------------------------------
No Autorun.inf files found on J:
Sanitized mountpoint for 4377fd62-3bf2-11e0-a90a-001e904a93df
----------------------------------------
No Desktop.ini files found on J:
----------------------------------------
No mimics found on drive J:
----------------------------------------
.lnk/.pif/.com/.scr files found on drive J:
========================================
New device connected at 2/20/2011 3:29:37 AM
Scanning for connected USB mass storage...
----------------------------------------
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on J:
----------------------------------------
No Autorun.inf files found on J:
No mountpoint found for 4377fd62-3bf2-11e0-a90a-001e904a93df
----------------------------------------
No Desktop.ini files found on J:
----------------------------------------
No mimics found on drive J:
----------------------------------------
.lnk/.pif/.com/.scr files found on drive J:
========================================
New device connected at 2/20/2011 3:29:39 AM
Scanning for connected USB mass storage...
----------------------------------------
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on J:
----------------------------------------
No Autorun.inf files found on J:
No mountpoint found for 4377fd62-3bf2-11e0-a90a-001e904a93df
----------------------------------------
No Desktop.ini files found on J:
----------------------------------------
No mimics found on drive J:
----------------------------------------
.lnk/.pif/.com/.scr files found on drive J:
========================================
Jack&Jill
2011-02-20, 14:20
Hello JD the DJ :),
Do this on the good computer.
Run USBNoRisk script
Please start USBNoRisk by double clicking on the program.
Choose the Script tab.
Copy and paste the following text into it:
{4377fd62-3bf2-11e0-a90a-001e904a93df}
protect:
Now, connect the USB storage device to the computer. If already connected, please click on the Run Script button at the bottom.
Close the program when done.
--------------------
Do all the following steps on the infected machine. If you cannot download at or post from the infected machine, then transfer the files through the other computer using the USB drive.
When you ran DDS the first time, did you save Attach.txt? If yes, please post the contents of the log. Otherwise, run DDS again to get me the result.
You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.
--------------------
Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.
Please download Rootkit Unhooker and save it to your desktop. Click here. (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE)
Double click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Ensure the following are checked (ticked):
Drivers
Stealth Code
Files
Code Hooks
Uncheck the rest, then click OK. An initial scan will be performed.
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
Save the report somewhere you can find it. Click Close to exit.
Copy the entire contents of the report and paste it in your next reply.
You may get a warning about parasite detection. Please click OK to continue.
--------------------
Please post back:
1. Attach.txt
2. the last MBAM
3. Rootkit Unhooker log
JD the DJ
2011-02-20, 14:56
- Ran Script on good machine
- Attach.txt is below
- Last MBAM log of a Full Scan of Drive C: is below
- Will close all programs and start on Rootkit Unhooker and post that soon
(Am posting this reply using infected PC, it works now)
Attach.txt
--------------------------------------------
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/23/2004 6:19:28 PM
System Uptime: 2/19/2011 6:43:11 AM (1 hours ago)
Motherboard: | |
Processor: AMD Athlon(tm) Processor | Slot-A | 663/66mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 17.287 GiB free.
D: is FIXED (FAT32) - 75 GiB total, 52.767 GiB free.
==== Disabled Device Manager Items =============
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMSONY_CD-RW__CRX230E_____________________QYS1____\5&C21666E&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: SONY CD-RW CRX230E
PNP Device ID: IDE\CDROMSONY_CD-RW__CRX230E_____________________QYS1____\5&C21666E&0&0.0.0
Service: cdrom
==== System Restore Points ===================
RP1656: 1/16/2011 11:44:28 PM - System Checkpoint
RP1657: 1/18/2011 2:48:39 AM - System Checkpoint
RP1658: 1/19/2011 3:10:03 AM - System Checkpoint
RP1659: 1/20/2011 3:39:38 AM - System Checkpoint
RP1660: 1/21/2011 6:01:44 AM - System Checkpoint
RP1661: 1/22/2011 6:39:41 AM - System Checkpoint
RP1662: 1/22/2011 11:00:42 PM - Software Distribution Service 3.0
RP1663: 1/23/2011 11:39:44 PM - System Checkpoint
RP1664: 1/25/2011 12:39:46 AM - System Checkpoint
RP1665: 1/26/2011 1:39:40 AM - System Checkpoint
RP1666: 1/27/2011 8:41:01 AM - System Checkpoint
RP1667: 1/27/2011 5:45:47 PM - Software Distribution Service 3.0
RP1668: 1/30/2011 6:47:14 PM - Revo Uninstaller's restore point - Adobe Atmosphere Player for Acrobat and Adobe Reader
RP1669: 1/30/2011 6:53:57 PM - Revo Uninstaller's restore point - Adobe Flash Player 10 ActiveX
RP1670: 1/30/2011 6:55:52 PM - Revo Uninstaller's restore point - Adobe Flash Player 10 Plugin
RP1671: 1/30/2011 6:56:52 PM - Revo Uninstaller's restore point - Adobe Shockwave Player 11
RP1672: 1/30/2011 6:58:05 PM - Revo Uninstaller's restore point - Adobe Reader 8.1.2
RP1673: 1/30/2011 7:00:51 PM - Revo Uninstaller's restore point - Java(TM) 6 Update 23
RP1674: 1/30/2011 7:03:12 PM - Revo Uninstaller's restore point - Spelling Dictionaries Support For Adobe Reader 8
RP1675: 1/30/2011 7:05:03 PM - Revo Uninstaller's restore point - Winamp
RP1676: 1/30/2011 7:18:38 PM - Revo Uninstaller's restore point - XnView 1.93.6
RP1677: 1/30/2011 7:20:22 PM - Revo Uninstaller's restore point - IrfanView (remove only)
RP1678: 1/30/2011 7:22:12 PM - Revo Uninstaller's restore point - 7-Zip 4.57
RP1679: 1/30/2011 7:23:38 PM - Revo Uninstaller's restore point - AnalogX TagMaster
RP1680: 1/30/2011 7:24:52 PM - Revo Uninstaller's restore point - SUPERAntiSpyware
RP1681: 1/30/2011 7:26:39 PM - Revo Uninstaller's restore point - Yahoo! Messenger
RP1682: 1/30/2011 7:29:22 PM - Revo Uninstaller's restore point - Yahoo! Browser Services
RP1683: 1/30/2011 7:31:18 PM - Revo Uninstaller's restore point - Full Tilt Poker
RP1684: 1/30/2011 7:31:48 PM - Removed Full Tilt Poker
RP1685: 1/30/2011 7:35:08 PM - Revo Uninstaller's restore point - The KMPlayer (remove only)
RP1686: 2/2/2011 3:32:01 AM - System Checkpoint
RP1687: 2/2/2011 7:17:20 AM - Software Distribution Service 3.0
RP1688: 2/14/2011 1:57:46 AM - Software Distribution Service 3.0
RP1689: 2/15/2011 8:14:28 AM - System Checkpoint
RP1690: 2/15/2011 4:45:24 PM - Removed Microsoft Easy Assist v2
RP1691: 2/15/2011 4:45:55 PM - Installed Microsoft Easy Assist v2
==== Installed Programs ======================
A.F.5 Rename your files 1.1
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Apple Software Update
ArcSoft Software for HP
Audacity 1.2.3
Avernum 4
Avernum Demo
Bonjour
Catan (remove only)
CCleaner
CDDRV_Installer
CDex extraction audio
Crystal Reports for .NET Framework 2.0 (x86)
Cypress USB Mass Storage Driver Installation
ERUNT 1.1j
Google Chrome
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Product Detection
Inspector F
Inspector F 1.2
iTunes
Java Auto Updater
KhalInstallWrapper
Locomotion
Logitech SetPoint
Lucent Technologies Soft Modem AMR
Malwarebytes' Anti-Malware
MediaMonkey 3.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Data Access Components KB870669
Microsoft Easy Assist v2
Microsoft Excel 2000 Macro Function Help File
Microsoft IntelliPoint 4.1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Office 2000 Web Archive Add-On
Microsoft Office HTML Filter 2.0
Microsoft Office Spreadsheet Updated Function Reference
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Mozilla Firefox (3.5.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Napster
Napster Burn Engine
Napster Label Creator
Nero Suite
PokerStars.net
Railroad Tycoon 3 Demo
RegScrubXP 5.1
Revo Uninstaller 1.91
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
Spybot - Search & Destroy
Tweak UI
UltimateBet
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows Internet Explorer 8 (KB982664)
URGE
USB Storage Adapter FX (SM1)
User Profile Hive Cleanup Service
Wal-Mart Music Downloads Store
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
Yahoo! Internet Mail
==== Event Viewer Messages From Past Week ========
2/18/2011 6:49:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/18/2011 6:49:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM Cdrom Fips
2/18/2011 11:47:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
2/15/2011 4:41:14 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
2/15/2011 3:50:35 PM, error: NetDDE [206] - Listen failed: 15:
2/15/2011 12:43:16 PM, error: NetDDE [206] - Listen failed: 23: The ncb_lana_num member did not specify a valid network number.
2/15/2011 12:27:55 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The system cannot find the file specified.
2/15/2011 12:27:46 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
2/15/2011 10:43:48 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2418241).
2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB983583).
2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168).
2/14/2011 1:57:56 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).
2/14/2011 1:57:51 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909).
==== End Of File ===========================
MBAM log
-------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5767
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/16/2011 11:27:28 AM
mbam-log-2011-02-16 (11-27-28).txt
Scan type: Full scan (C:\|)
Objects scanned: 251365
Time elapsed: 1 hour(s), 19 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
JD the DJ
2011-02-20, 15:43
Here is the Rootkit Unhooker log Report
---------------------------------------------------
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2189952 bytes
0x804D7000 RAW 2189952 bytes
0x804D7000 WMIxWDM 2189952 bytes
0xF7716000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF74F9000 C:\WINDOWS\system32\drivers\sis7012.sys 823296 bytes (Silicon Integrated Systems Corporation, SiS 7012 Audio Device WDM Driver)
0xF75C2000 C:\WINDOWS\System32\DRIVERS\LTSM.sys 790528 bytes (Lucent Technologies, SoftModem Device Driver)
0xF8489000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF00B1000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6F5F000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF0196000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEBB3A000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xEBBE5000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF85A7000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEBCCA000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF845C000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEC4B3000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF0121000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF016E000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF008B000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEB918000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF76CA000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7683000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF76A7000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF014C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF853F000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF8577000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF8442000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF855F000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEB900000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF8516000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF74E2000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEBC49000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF76EE000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF7702000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EE000 ACPI_HAL 81152 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF01EF000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF852D000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF8596000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF74D1000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF083A000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF8736000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF8746000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF0305000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7936000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF8706000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF8636000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF8716000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF8756000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF8616000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF8776000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF07EA000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF8606000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF8766000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF85F6000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7926000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF8656000 sisagp.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS NT AGP Filter)
0xF7946000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF8626000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF07CA000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF8786000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF082A000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEC74A000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF8646000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF07DA000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF898E000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF0C6D000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF8996000 C:\WINDOWS\system32\DRIVERS\sisnicxp.sys 32768 bytes (SiS Corporation, SiS PCI Fast Ethernet Adapter Driver)
0xF899E000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF897E000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF0C85000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF8876000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF8976000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF8896000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF0C7D000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF3827000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF0C75000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF887E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF89F6000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF89FE000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF89A6000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF8986000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF0458000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF8A9E000 C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys 16384 bytes (Logitech, Inc., Logitech PS2 Keyboard Filter Driver.)
0xF8AC6000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF6F5B000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF8AA2000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF8A0A000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF0BD2000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF8AA6000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xF0CD1000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF0CC9000 C:\WINDOWS\system32\DRIVERS\IPFilter.sys 12288 bytes (Microsoft Corporation, Microsoft IntelliPoint)
0x82ED5000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF0CCD000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF8AAA000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF0EA6000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xEBAA2000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
0xF8B04000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF8BA4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF8B02000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF8B06000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF8B8C000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF8B08000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF8B6A000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF8B6C000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF8AF6000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF8C78000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF04EE000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))
0xF04ED000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))
0xF8CF7000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF0C96000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xF8C6F000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xF04EC000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF8BBE000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x82F0A6A2 ?_empty_? 2398 bytes
==============================================
>Stealth
==============================================
0xF855F000 WARNING: suspicious driver modification [atapi.sys::0x82F0A6A2]
==============================================
>Files
==============================================
!-->[Hidden] C:\00
!-->[Hidden] C:\000
!-->[Hidden] C:\000 cddb
!-->[Hidden] C:\cdex_150b10_enu
!-->[Hidden] C:\Config.Msi
!-->[Hidden] C:\Documents and Settings
!-->[Hidden] C:\downloads
!-->[Hidden] C:\eac095pb5
!-->[Hidden] C:\Games
!-->[Hidden] C:\lame-3.95.1
!-->[Hidden] C:\My Music
!-->[Hidden] C:\Neato Mediaface
!-->[Hidden] C:\Program Files
!-->[Hidden] C:\RECYCLER
!-->[Hidden] C:\Start Menu
!-->[Hidden] C:\System Volume Information
!-->[Hidden] C:\temp
!-->[Hidden] C:\WINDOWS
!-->[Hidden] C:\WUTemp
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000BAD4, Type: Inline - RelativeJump 0x804E2AD4-->804E2B40 [ntoskrnl.exe]
[1092]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[1092]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1092]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1092]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1092]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1092]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1092]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1092]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1092]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1092]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1092]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[936]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[936]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[936]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[936]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[936]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[936]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[936]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[936]svchost.exe-->user32.dll-->GetForegroundWindow, Type: Inline - RelativeJump 0x7E429823-->00000000 [unknown_code_page]
[936]svchost.exe-->user32.dll-->WindowFromPoint, Type: Inline - RelativeJump 0x7E429766-->00000000 [unknown_code_page]
Jack&Jill
2011-02-20, 19:05
I see that you have some programs that are not recommended or not safe on board your computer. You may uninstall them through Add/Remove Programs at the Control Panel.
Registry Cleaner(s)
RegScrubXP 5.1
Personally, I do not recommend any such programs. Here is an excerpt from a discussion on Registry Cleaners:
Most Registry Cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.
See here (http://billpstudios.blogspot.com/2007/04/do-i-need-registry-cleaner.html) and here (http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html) for additional information.
--------------------
Poker programs
A lot of poker programs are infected / can infect you with malware. You should be careful when using them.
Here (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=23145) is a list of known bad Poker games or sites that you should stay away from.
You may want to uninstall UltimateBet to as it does not have the best of reputations.
--------------------
Please download ComboFix from one of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/sUBs/ComboFix.exe)
Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.
Install Recovery Console and run ComboFix
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.
A detailed step by step tutorial to run ComboFix can be found here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) if you need help.
--------------------
Please post back:
1. the answer to my question about your computer
2. the ComboFix log
JD the DJ
2011-02-20, 21:55
1) I'm sorry, I do not know what your question is about my computer. (Unless it was the question from your earlier post about the Attach.txt file from the DDS scan. Since the answer was "Yes", I just posted the log)
2) Ran ComboFix and log is posted below:
-------------------------------------------------------
ComboFix 11-02-20.01 - Dana 02/20/2011 11:52:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.303 [GMT -7:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}
c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\chrome.manifest
c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\chrome\content\_cfg.js
c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\chrome\content\overlay.xul
c:\documents and settings\Administrator.DBARKER2\Local Settings\Application Data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}\install.rdf
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.
2011-02-19 11:50 . 2011-02-19 11:51 -------- d-----w- c:\program files\ERUNT
2011-02-17 17:19 . 2011-02-17 17:19 -------- d-----w- c:\windows\system32\NtmsData
2011-02-15 23:45 . 2011-02-15 23:45 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-02-15 17:56 . 2011-02-15 17:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-27 08:25 . 2011-01-27 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-27 03:26 . 2011-01-28 04:47 -------- d-----w- c:\documents and settings\Administrator.DBARKER2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 01:09 . 2008-10-31 12:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2008-10-31 12:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-07-03 11:11 . 2006-07-03 11:12 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19 . 2004-01-31 23:08 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
c:\documents and settings\Dana\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-23 813584]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NapsterShell"=c:\program files\Napster\napster.exe /systray
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2009 6:56 PM 10384]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [1/27/2004 9:49 AM 1025288]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/8/2003 9:56 AM 820133]
S3 CallerIP;Visualware CallerIP;c:\program files\CallerIP\cip-nt.exe --> c:\program files\CallerIP\cip-nt.exe [?]
S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\DRIVERS\idcphid.sys --> c:\windows\system32\DRIVERS\idcphid.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]
2011-02-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-05-04 21:31]
2011-02-20 c:\windows\Tasks\User_Feed_Synchronization-{7255A037-42F1-4F10-A6F1-8A5588174281}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
FF - ProfilePath - c:\documents and settings\Dana\Application Data\Mozilla\Firefox\Profiles\e9buyb2s.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
AddRemove-SiS7012 - c:\program files\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-20 12:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1935655697-1202660629-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(552)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
- - - - - - - > 'explorer.exe'(3360)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-02-20 12:30:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-20 19:30
Pre-Run: 18,515,230,720 bytes free
Post-Run: 19,281,817,600 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - C0DBB365C1879BA5CAFED782C348F5CA
Jack&Jill
2011-02-21, 02:45
Hello JD the DJ :),
My apologies, somehow the text that I copied into my reply is missing the question.
Is this a business machine?
--------------------
Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
Then, check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.
If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.
--------------------
Please post back:
1. the answer to my question about your computer
2. the ESET result
JD the DJ
2011-02-21, 08:27
1) No, it is my old PC. Currently, I only use it for DJ gigs.
2) I will start the ESET scan process tonight and post log tomorrow,
Also, since the run of ComboFix finished (~9 hours ago), no cookies or files have appeared in the sub-folders of "C:\Documents and Settings\NetworkService\...", and, I have not seen an overactive svchost process. :2thumb:
However, when I re-started TeaTimer, more TeaTimer notifications popped up than I was expecting (I was only expecting the one notification: that the registry item for TeaTimer itself had been changed). The first few that appeared, since I did not know what they referred to, I "denied", then the rest I "allowed", figuring they were made by the run of ComboFix.
Just in case....
This is the list of items (denied/allowed) from the Spybot Resident TeaTimer log that were made today after re-starting TeaTimer (after the completion of ComboFix)
--------------------------------------------------------------------------
2/20/2011 1:23:17 PM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/20/2011 1:23:58 PM Denied (based on user decision) value "NoDriveTypeAutoRun" (new data: "323") changed in System Startup user entry!
2/20/2011 1:24:12 PM Denied (based on user decision) value "NoDriveAutoRun" (new data: "67108863") changed in System Startup user entry!
2/20/2011 1:24:14 PM Denied (based on user decision) value "NoDrives" (new data: "0") added in System Startup user entry!
2/20/2011 1:24:27 PM Allowed (based on user decision) value "Locked" (new data: "") deleted in Global browser toolbar!
2/20/2011 1:25:04 PM Denied (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
2/20/2011 1:25:18 PM Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
2/20/2011 1:25:21 PM Allowed (based on user decision) value "SearchAssistant" (new data: "") deleted in Browser page!
2/20/2011 1:25:27 PM Allowed (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
2/20/2011 1:25:30 PM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!
2/20/2011 1:25:35 PM Allowed (based on user decision) value "run" (new data: "") deleted in NT startup!
2/20/2011 1:25:39 PM Allowed (based on user decision) value "TaskMan" (new data: "") deleted in Winlogon!
2/20/2011 1:25:54 PM Allowed (based on user decision) value "DisableRegistryTools" (new data: "0") added in Disable Registrytool!
JD the DJ
2011-02-21, 21:29
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=ae03d67303722242aebde56bbfcf4142
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-21 09:26:30
# local_time=2011-02-21 02:26:30 (-0700, Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 83117137 83117137 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=209359
# found=4
# cleaned=0
# scan_time=10197
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2FBDD646-1C51-4A2F-BAC7-61534B6F1CAE}\RP1667\A0215072.dll a variant of Win32/Kryptik.KIQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2FBDD646-1C51-4A2F-BAC7-61534B6F1CAE}\RP1692\A0220172.dll Win32/TrojanProxy.Agent.NGY trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{2FBDD646-1C51-4A2F-BAC7-61534B6F1CAE}\RP1692\A0220173.exe a variant of Win32/TrojanDownloader.FraudLoad.NAJ trojan (unable to clean) 00000000000000000000000000000000 I
Jack&Jill
2011-02-22, 02:49
Hello JD the DJ :),
Yes, those are changes made by ComboFix. Please allow the changes for the following run.
I see that you have uninstall Adobe Reader using Revo Uninstaller. You might want to remove this remnant as well:
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
--------------------
Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.
Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:
Mozilla Firefox (3.5.13)
Go to the Mozilla Firefox download page. Click here. (http://www.mozilla.com/en-US/firefox/upgrade.html)
Click on the Free Download button and save the setup file to a convenient location.
Double click on the setup file and follow the steps accordingly.
--------------------
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.
Run ComboFix script
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Open Notepad. Copy and paste the following text into it:
File::
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b
Firefox::
FF - ProfilePath - c:\documents and settings\Dana\Application Data\Mozilla\Firefox\Profiles\e9buyb2s.default\
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update, please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.
--------------------
The remainder of the online scan's findings include items located in C:\System Volume Information\ where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore.
We shall be taking care of them during the final cleanup.
When you complete all the above steps, please rerun DDS and post back the latest result.
--------------------
Please post back:
1. the ComboFix log
2. DDS log
3. any more problems?
JD the DJ
2011-02-22, 12:39
1) Was unable to remove Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
None of the programs listed it (Add/Remove ; Revo ; Spybot; or, CCleaner)
2) Downloaded Firefox 3.6.13 setup; Uninstalled old Firefox; Installed new version of Firefox.
3) Disabled TeaTimer. (When I opened Spybot, the box to enable it was not checked. It should have been. I checked the box and closed Spybot. I received the notification about Spybot registry change plus others relating to Firewall Access. I denied those that I knew were not on PC any longer or had no idea what they were (for ex. AVG7 and mmc.exe). I opened Spybot and un-checked TeaTimer, then closed Spybot. I opened Spybot again and checked the box. Closed Spybot. Again received Firewall Access registry changes to (most of) the same ones as before. Opened Spybot to disable TeaTimer to run CFScript.)
4) Ran the CFScript, log is pasted below.
5) Re-Enabled TeaTimer (Again received notifications re: Firewall Access)
6) Ran DDS, log pasted below. (When I first tried to run DDS, the black box would appear for about one second, then disappear. Tried to run it a few times, all had same result. Shutdown PC (and waited for 14 MS updates to install) and re-started PC. When I logged on, received TeaTimer notifications re: Firewall Access. But, was now able to run DDS)
7) As to other problems:
- The TeaTimer notifications for Firewall Access for programs that have been removed from my PC (some were removed years ago).
- There is a new User folder that was created the day of the infection (or shortly after). It is called "Administrator.[full computer name]". There is already a User folder called "Administrator".
- However, the PC seems to be running even better than before being infected. For ex., an svchost process (User Name: Network Service) would run 100% CPU for 10+ minutes when first logging on. That has not happened since running ComboFix the first time.
8) Here are the requested logs:
CFScript log
----------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 11-02-21.02 - Dana 02/22/2011 0:17.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.152 [GMT -7:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt
FILE ::
"c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\30\2085d9de-58f5b47b
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\install.rdf
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\install.rdf
C:\Thumbs.db
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
.
((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.
2011-02-21 06:30 . 2011-02-21 06:30 -------- d-----w- c:\program files\ESET
2011-02-20 23:06 . 2011-02-20 23:06 -------- d-----w- c:\windows\LastGood
2011-02-19 11:50 . 2011-02-19 11:51 -------- d-----w- c:\program files\ERUNT
2011-02-17 17:19 . 2011-02-17 17:19 -------- d-----w- c:\windows\system32\NtmsData
2011-02-15 23:45 . 2011-02-15 23:45 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-02-15 17:56 . 2011-02-15 17:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-27 08:25 . 2011-01-27 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-27 03:26 . 2011-01-28 04:47 -------- d-----w- c:\documents and settings\Administrator.DBARKER2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 01:09 . 2008-10-31 12:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2008-10-31 12:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-07-03 11:11 . 2006-07-03 11:12 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19 . 2004-01-31 23:08 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
c:\documents and settings\Dana\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-23 813584]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NapsterShell"=c:\program files\Napster\napster.exe /systray
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2009 6:56 PM 10384]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [1/27/2004 9:49 AM 1025288]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/8/2003 9:56 AM 820133]
S3 CallerIP;Visualware CallerIP;c:\program files\CallerIP\cip-nt.exe --> c:\program files\CallerIP\cip-nt.exe [?]
S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\DRIVERS\idcphid.sys --> c:\windows\system32\DRIVERS\idcphid.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]
2011-02-21 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-05-04 21:31]
2011-02-21 c:\windows\Tasks\User_Feed_Synchronization-{7255A037-42F1-4F10-A6F1-8A5588174281}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-22 00:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1935655697-1202660629-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2011-02-22 00:35:41
ComboFix-quarantined-files.txt 2011-02-22 07:35
ComboFix2.txt 2011-02-20 19:30
Pre-Run: 19,094,921,216 bytes free
Post-Run: 19,083,902,976 bytes free
Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 04632BA1ED6D14C79A013D557BBBF7D1
----------------------------------------------------------------------------------------------------------------------------------------------------
DDS log
DDS (Ver_10-12-12.02) - NTFSx86
Run by Dana at 1:36:55.84 on Tue 02/22/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.156 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dana\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://google.com/
BHO: AutorunsDisabled - No File
BHO: Yahoo! IE Suggest - No File
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]
=============== Created Last 30 ================
2011-02-21 06:30:52 -------- d-----w- c:\program files\ESET
2011-02-20 18:31:59 -------- d-sha-r- C:\cmdcons
2011-02-20 18:24:26 98816 ----a-w- c:\windows\sed.exe
2011-02-20 18:24:26 89088 ----a-w- c:\windows\MBR.exe
2011-02-20 18:24:26 256512 ----a-w- c:\windows\PEV.exe
2011-02-20 18:24:26 161792 ----a-w- c:\windows\SWREG.exe
2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist
==================== Find3M ====================
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
============= FINISH: 1:39:25.88 ===============
Jack&Jill
2011-02-22, 19:12
Hello JD the DJ :),
The problem you are experiencing is most likely caused by Teatimer remembering old changes and interfering with DDS.
To reset TeaTimer so that it does not remember any previous entries:
Edit the entries that TeaTimer uses to automatically "Allow" or "Deny" changes that were based on the use of "Remember this decision" as follows:
Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
Allowed processes
Blocked processes
Allowed registry changes
Blocked registry changes
Note: If you don't see all four buttons, try expanding the window to the right.
The entries that you should review are in "Allowed registry changes" and "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.
Reset TeaTimers snapshot files:
TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system. To refresh TeaTimer's snapshot files:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.
Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.
--------------------
For the Adobe entry, I think you can leave it alone since none of the uninstallers are seeing it.
The new user folder should post no harm as well.
--------------------
Please ensure Teatimer is reset according to my above instructions and disabled before continue below.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.
Run ComboFix script
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Open Notepad. Copy and paste the following text into it:
DDS::
BHO: AutorunsDisabled - No File
BHO: Yahoo! IE Suggest - No File
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).
http://i582.photobucket.com/albums/ss269/Cat_Byte/images/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update, please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.
--------------------
Please post back:
1. the ComboFix log
2. fresh DDS log
JD the DJ
2011-02-23, 04:19
Pasted below are:
1) CFScript log
2) DDS log
CFScript log
--------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 11-02-22.01 - Dana 02/22/2011 18:22:34.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.210 [GMT -7:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt
.
((((((((((((((((((((((((( Files Created from 2011-01-23 to 2011-02-23 )))))))))))))))))))))))))))))))
.
2011-02-21 06:30 . 2011-02-21 06:30 -------- d-----w- c:\program files\ESET
2011-02-19 11:50 . 2011-02-19 11:51 -------- d-----w- c:\program files\ERUNT
2011-02-17 17:19 . 2011-02-17 17:19 -------- d-----w- c:\windows\system32\NtmsData
2011-02-15 23:45 . 2011-02-15 23:45 -------- d-----w- c:\program files\Microsoft Easy Assist
2011-02-15 17:56 . 2011-02-15 17:56 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-01-27 08:25 . 2011-01-27 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-01-27 03:26 . 2011-01-28 04:47 -------- d-----w- c:\documents and settings\Administrator.DBARKER2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2003-03-31 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2003-03-31 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2003-03-31 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-21 01:09 . 2008-10-31 12:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2008-10-31 12:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 23:59 . 2004-02-07 00:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2003-03-31 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2003-03-31 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 01:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-07-03 11:11 . 2006-07-03 11:12 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19 . 2004-01-31 23:08 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-02-22_07.29.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2003-03-31 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
+ 2003-03-31 12:00 . 2010-12-20 23:59 66560 c:\windows\system32\mshtmled.dll
- 2006-11-08 04:03 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 04:03 . 2010-12-20 23:59 55296 c:\windows\system32\msfeedsbs.dll
+ 2003-03-31 12:00 . 2010-12-20 23:59 25600 c:\windows\system32\jsproxy.dll
- 2003-03-31 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
+ 2009-06-20 01:37 . 2010-12-20 23:59 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-20 01:37 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2006-05-10 05:23 . 2010-12-20 23:59 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:23 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 21:00 . 2010-12-20 23:59 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 21:00 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-10-17 19:05 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2006-10-17 19:05 . 2010-12-20 23:59 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2006-05-10 05:22 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2010-12-20 23:59 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
- 2003-03-31 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
+ 2003-03-31 12:00 . 2010-12-20 23:59 206848 c:\windows\system32\occache.dll
- 2003-03-31 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
+ 2003-03-31 12:00 . 2010-12-20 23:59 611840 c:\windows\system32\mstime.dll
+ 2006-11-08 04:03 . 2010-12-20 23:59 602112 c:\windows\system32\msfeeds.dll
- 2006-11-08 04:03 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
- 2003-03-31 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
+ 2003-03-31 12:00 . 2010-12-20 23:59 184320 c:\windows\system32\iepeers.dll
+ 2003-03-31 12:00 . 2010-12-20 23:59 387584 c:\windows\system32\iedkcs32.dll
- 2003-03-31 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
+ 2003-03-31 12:00 . 2010-12-20 12:55 173568 c:\windows\system32\ie4uinit.exe
- 2003-03-31 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
+ 2004-01-23 17:51 . 2011-02-22 08:28 263824 c:\windows\system32\FNTCACHE.DAT
- 2004-01-23 17:51 . 2010-12-19 06:37 263824 c:\windows\system32\FNTCACHE.DAT
- 2004-02-07 00:05 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-02-07 00:05 . 2010-12-20 23:59 916480 c:\windows\system32\dllcache\wininet.dll
+ 2011-01-21 14:44 . 2011-01-21 14:44 439296 c:\windows\system32\dllcache\shimgvw.dll
+ 2006-10-17 19:04 . 2010-12-20 23:59 206848 c:\windows\system32\dllcache\occache.dll
- 2006-10-17 19:04 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-05-01 20:30 . 2010-12-09 15:15 718336 c:\windows\system32\dllcache\ntdll.dll
- 2006-05-10 05:23 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2010-12-20 23:59 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-05-09 21:00 . 2010-12-20 23:59 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 21:00 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-05-01 20:30 . 2010-12-20 17:26 730112 c:\windows\system32\dllcache\lsasrv.dll
- 2009-05-01 20:30 . 2009-06-25 08:25 730112 c:\windows\system32\dllcache\lsasrv.dll
+ 2009-06-25 08:25 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll
- 2009-06-20 01:37 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-20 01:37 . 2010-12-20 23:59 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2006-05-10 05:22 . 2010-12-20 23:59 184320 c:\windows\system32\dllcache\iepeers.dll
- 2006-05-10 05:22 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-07-30 19:30 . 2010-12-20 23:59 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-07-30 19:30 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2006-11-07 10:27 . 2010-12-20 23:59 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-11-07 10:27 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-07 10:26 . 2010-12-20 12:55 173568 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-11-07 10:26 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
- 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2010-04-20 05:30 . 2011-01-07 14:09 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 916480 c:\windows\ie8updates\KB2482017-IE8\wininet.dll
+ 2011-02-22 08:14 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2482017-IE8\spuninst\updspapi.dll
+ 2011-02-22 08:14 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2482017-IE8\spuninst\spuninst.exe
+ 2011-02-22 08:14 . 2010-11-06 00:26 206848 c:\windows\ie8updates\KB2482017-IE8\occache.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 611840 c:\windows\ie8updates\KB2482017-IE8\mstime.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 602112 c:\windows\ie8updates\KB2482017-IE8\msfeeds.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 247808 c:\windows\ie8updates\KB2482017-IE8\ieproxy.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 184320 c:\windows\ie8updates\KB2482017-IE8\iepeers.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 743424 c:\windows\ie8updates\KB2482017-IE8\iedvtool.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 387584 c:\windows\ie8updates\KB2482017-IE8\iedkcs32.dll
+ 2011-02-22 08:14 . 2010-11-03 12:26 173568 c:\windows\ie8updates\KB2482017-IE8\ie4uinit.exe
+ 2011-02-22 08:32 . 2011-02-22 08:32 266240 c:\windows\ERDNT\AutoBackup\2-22-2011\Users\00000002\UsrClass.dat
+ 2011-02-22 08:32 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-22-2011\ERDNT.EXE
+ 2004-01-21 23:20 . 2010-12-20 23:59 1210880 c:\windows\system32\urlmon.dll
- 2004-01-21 23:20 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
- 2004-07-16 21:15 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2004-07-16 21:15 . 2011-01-21 14:44 8462336 c:\windows\system32\shell32.dll
+ 2004-07-08 00:37 . 2010-12-20 23:59 5961216 c:\windows\system32\mshtml.dll
- 2006-10-17 18:57 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2006-10-17 18:57 . 2010-12-20 23:59 1991680 c:\windows\system32\iertutil.dll
+ 2008-10-14 19:17 . 2010-12-31 13:10 1854976 c:\windows\system32\dllcache\win32k.sys
+ 2004-01-21 23:20 . 2010-12-20 23:59 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2004-01-21 23:20 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
- 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02 . 2011-01-21 14:44 8462336 c:\windows\system32\dllcache\shell32.dll
+ 2008-10-14 19:17 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-14 19:17 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-14 19:17 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 19:17 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-05-19 15:08 . 2010-12-20 23:59 5961216 c:\windows\system32\dllcache\mshtml.dll
- 2007-05-09 21:01 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-09 21:01 . 2010-12-20 23:59 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 1210880 c:\windows\ie8updates\KB2482017-IE8\urlmon.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 5959168 c:\windows\ie8updates\KB2482017-IE8\mshtml.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 1991680 c:\windows\ie8updates\KB2482017-IE8\iertutil.dll
+ 2008-10-14 19:17 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-14 19:17 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 19:17 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-14 19:17 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-05-13 20:03 . 2011-02-22 08:15 37443528 c:\windows\system32\MRT.exe
+ 2006-11-08 04:03 . 2010-12-21 12:29 11080704 c:\windows\system32\ieframe.dll
- 2006-11-08 04:03 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
- 2007-05-09 21:00 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-09 21:00 . 2010-12-21 12:29 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-02-22 08:14 . 2010-11-06 00:26 11080704 c:\windows\ie8updates\KB2482017-IE8\ieframe.dll
+ 2011-02-22 08:32 . 2011-02-22 08:32 17768448 c:\windows\ERDNT\AutoBackup\2-22-2011\Users\00000001\ntuser.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
c:\documents and settings\Dana\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-23 813584]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 18:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"JavaQuickStarterService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NapsterShell"=c:\program files\Napster\napster.exe /systray
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [1/23/2009 6:56 PM 10384]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [1/27/2004 9:49 AM 1025288]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/8/2003 9:56 AM 820133]
S3 CallerIP;Visualware CallerIP;c:\program files\CallerIP\cip-nt.exe --> c:\program files\CallerIP\cip-nt.exe [?]
S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\DRIVERS\idcphid.sys --> c:\windows\system32\DRIVERS\idcphid.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
2011-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:42]
2011-02-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-05-04 21:31]
2011-02-22 c:\windows\Tasks\User_Feed_Synchronization-{7255A037-42F1-4F10-A6F1-8A5588174281}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
FF - ProfilePath -
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-22 18:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1417001333-1935655697-1202660629-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-22 18:40:09
ComboFix-quarantined-files.txt 2011-02-23 01:40
ComboFix2.txt 2011-02-22 07:35
ComboFix3.txt 2011-02-20 19:30
Pre-Run: 18,733,899,776 bytes free
Post-Run: 18,734,149,632 bytes free
Current=4 Default=4 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - BA8E7F5551C34A2EA167A8A149915AD1
DDS log
---------------------------------------------------------------------------------------------------------------------------------------
DDS (Ver_10-12-12.02) - NTFSx86
Run by Dana at 18:55:32.75 on Tue 02/22/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.170 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Dana\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://google.com/
BHO: AutorunsDisabled - No File
BHO: Yahoo! IE Suggest - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]
=============== Created Last 30 ================
2011-02-21 06:30:52 -------- d-----w- c:\program files\ESET
2011-02-20 18:31:59 -------- d-sha-r- C:\cmdcons
2011-02-20 18:24:26 98816 ----a-w- c:\windows\sed.exe
2011-02-20 18:24:26 89088 ----a-w- c:\windows\MBR.exe
2011-02-20 18:24:26 256512 ----a-w- c:\windows\PEV.exe
2011-02-20 18:24:26 161792 ----a-w- c:\windows\SWREG.exe
2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist
==================== Find3M ====================
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
============= FINISH: 18:57:13.09 ===============
Jack&Jill
2011-02-23, 16:07
Hello JD the DJ :),
How is the computer behaving now? Did the Teatimer reset go well?
JD the DJ
2011-02-23, 22:32
Looking good.
Except for the same 5 MS updates that keep getting installed every time I shut PC down (KB982524, KB983583, KB2418241, KB982168, KB979909)
TeaTimer reset went well.
Jack&Jill
2011-02-24, 15:02
Hello JD the DJ :),
Looks like a Microsoft.NET Framework problem and quite common. See if these help:
http://support.microsoft.com/kb/910339
http://support.microsoft.com/kb/976982
--------------------
Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.
Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.
Go to Start > Run.... Copy and paste the following text into the white box:
ComboFix /uninstall
Click OK.
Delete the USBNoRisk and Rootkit Unhooker files on your desktop.
Delete any logs on the desktop.
Some tips to help you stay clean and safe:
1. Keep your Windows up to date. Enable Automatic Updates for Windows XP (http://www.bleepingcomputer.com/tutorials/tutorial35.html) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.
2. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials (http://www.microsoft.com/security_essentials/), Avast (http://www.avast.com/eng/download-avast-home.html) and Avira (http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914) are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 (http://www.eset.com/products/nod32.php) and Kaspersky (http://www.kaspersky.com/kaspersky_anti-virus) are some good options. Please keep only one AV installed.
3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.
4. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications.
5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm) for this purpose.
6. Install Web of Trust (WOT). WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.
7. Protect your computer from removable or USB drive infections with Panda USB Vaccine (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/), an effective method to prevent malware from spreading.
8. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.
9. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
10. Also look up:
Computer Security - a short guide to staying safer online (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=54766)
PC Safety and Security - What Do I Need? By Glaswegian (http://www.techsupportforum.com/security-center/general-computer-security/525915-pc-safety-security-what-do-i-need.html)
How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)
Microsoft Online Safety (http://www.microsoft.com/protect/default.aspx)
Stay safe.
Jack&Jill
2011-02-27, 16:11
As your problems appear to have been resolved, this topic is now closed.
We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)