View Full Version : Conducent. Timesink won't remove.
I have run Spybot S&D multiple times trying to remove Conducent. Timesink. It removes it but it comes right back.
I'm unable to connect the infected computer to the internet (probably because of the virus, it will occasionally connect but only extremely slow) but I have access to a running pc and a flash drive.
I saw where forums said not to turn off System Restore but I had already done that.
I am running Internet explorer and Windows XP.
The pc may have also been infected with Win32.Autorun. tmp at the same time but that appears to have been successfully removed.
Appreciate any help!! I have spent all weekend trying to fix this. Thanks.
I’m unable to download anything from the internet so I cannot run ERUNT or DDS on the system unless I transfer it from another computer with a flash drive.
I have not disabled Teatimer, unsure if I should do that.
Hi,
I’m unable to download anything from the internet so I cannot run ERUNT or DDS on the system unless I transfer it from another computer with a flash drive.
Please do it like that to get DDS logs out.
I have run Spybot S&D multiple times trying to remove Conducent. Timesink. It removes it but it comes right back.
I saw where forums said not to turn off System Restore but I had already done that.
I am running Internet explorer and Windows XP.
The pc may have also been infected with Win32.Autorun. tmp at the same time but that appears to have been successfully removed.
Appreciate any help!! I have spent all weekend trying to fix this. Thanks.
I am reposting this with the DDS files.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by MAIN at 20:18:31.42 on Wed 04/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.235 [GMT -5:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MAIN\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [Sonic RecordNow!]
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [TimeSink Ad Client] "c:\program files\timesink\adgateway\TsAdBot.exe"
StartupFolder: c:\docume~1\main\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\main\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\main\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-29 165584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 130376]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-7-16 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-29 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113096]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
.
=============== Created Last 30 ================
.
2011-04-06 02:31:27 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-05 02:31:58 -------- d-----w- c:\docume~1\main\applic~1\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\program files\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2011-04-05 01:28:02 -------- d-----w- c:\docume~1\main\applic~1\WinPatrol
2011-04-05 01:27:43 -------- d-----w- c:\program files\BillP Studios
2011-04-05 01:27:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\InstallMate
2011-03-31 23:29:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 23:48:06 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-21 01:17:47 -------- d-----w- C:\tobex_pi_32
2011-03-21 00:47:04 -------- d-----w- C:\Grants-Empire-V1
2011-03-21 00:09:58 -------- d-----w- c:\documents and settings\main\.webstersca_cache_32
2011-03-20 04:42:24 -------- d-----w- c:\program files\Strategy First
2011-03-18 02:45:08 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-03-13 03:19:01 -------- d-----w- c:\program files\iPod
2011-03-13 03:18:42 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
============= FINISH: 20:23:38.03 ===============
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
I installed the software Combofix and ran it. It was scanning and then I received Error Message that A Problem was detected and Windows has been shut down to prevent damage to your computer. It says that if this is the first time you have seen this message you should restart your computer. I have not done that yet. Should I try restarting? Thanks.
Hi,
What is the error message and code you see there?
Plug and play detected an error most likely caused by a faulty driver.
Hi,
Reboot. Let's see how it goes.
It worked! Here is the log.
ComboFix 11-04-08.01 - MAIN 04/08/2011 18:26:37.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.355 [GMT -5:00]
Running from: c:\documents and settings\MAIN\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\MAIN\Recent\Thumbs.db
c:\documents and settings\MAIN\WINDOWS
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\Startup.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
.
.
2011-04-07 15:12 . 2009-10-07 20:28 17544 ------w- c:\windows\system32\drivers\RkPavproc1.sys
2011-04-07 01:15 . 2011-04-07 01:16 -------- d-----w- c:\program files\ERUNT
2011-04-06 02:31 . 2011-04-06 02:31 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-05 02:31 . 2011-04-05 02:31 -------- d-----w- c:\documents and settings\MAIN\Application Data\Panda Security
2011-04-05 02:30 . 2011-04-05 02:30 -------- d-----w- c:\program files\Panda Security
2011-04-05 02:30 . 2011-04-05 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-04-05 01:28 . 2011-04-05 01:28 -------- d-----w- c:\documents and settings\MAIN\Application Data\WinPatrol
2011-04-05 01:27 . 2011-04-05 01:27 -------- d-----w- c:\program files\BillP Studios
2011-04-05 01:27 . 2011-04-05 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-03-31 23:29 . 2011-04-01 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-31 03:09 . 2011-03-31 03:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 23:48 . 2011-03-25 23:48 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-21 01:17 . 2011-03-21 01:19 -------- d-----w- C:\tobex_pi_32
2011-03-21 00:47 . 2011-03-21 00:54 -------- d-----w- C:\Grants-Empire-V1
2011-03-21 00:09 . 2011-03-21 00:14 -------- d-----w- c:\documents and settings\MAIN\.webstersca_cache_32
2011-03-20 04:42 . 2011-03-20 04:42 -------- d-----w- c:\program files\Strategy First
2011-03-18 02:46 . 2011-03-18 02:46 -------- d-----w- c:\documents and settings\Nick\Application Data\Gtek
2011-03-18 02:46 . 2011-03-18 02:46 -------- d-----w- c:\documents and settings\Default User\Application Data\Gtek
2011-03-18 02:45 . 2011-03-18 02:46 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-03-13 03:19 . 2011-03-13 03:19 -------- d-----w- c:\program files\iPod
2011-03-13 03:18 . 2011-03-13 03:21 -------- d-----w- c:\program files\iTunes
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-24 20:21 . 2009-08-18 16:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-24 20:21 . 2009-08-18 16:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-18 22:36 . 2010-05-05 03:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2010-05-05 03:35 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2003-08-04 196096]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4800512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-03-16 325000]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-02-24 423232]
.
c:\documents and settings\MAIN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Plus! Photo Story 2 LE\\PS2Trial.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1120:TCP"= 1120:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/29/2010 10:54 PM 165584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [12/16/2010 6:12 PM 130376]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/16/2003 3:47 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/29/2010 10:54 PM 17744]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [12/16/2010 6:19 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [12/16/2010 6:12 PM 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [12/16/2010 6:12 PM 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [12/16/2010 6:12 PM 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [12/16/2010 6:12 PM 113096]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 12:06 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 17:06]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 17:06]
.
2011-04-08 c:\windows\Tasks\User_Feed_Synchronization-{178E2BD5-C78E-45FE-B405-21A849366481}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\MAIN\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\MAIN\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Sonic RecordNow! - (no file)
Notify-GoToAssist - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-08 18:40
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-04-08 18:44:34
ComboFix-quarantined-files.txt 2011-04-08 23:44
.
Pre-Run: 150,199,181,312 bytes free
Post-Run: 150,741,557,248 bytes free
.
- - End Of File - - 96CE00A9670F25F3063119958775BDFA
Good. Please post fresh dds logs too :)
Here are the new logs.
Thanks for all your help!
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by MAIN at 8:49:13.39 on Sat 04/09/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.239 [GMT -5:00]
.
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MAIN\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
StartupFolder: c:\docume~1\main\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\main\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\main\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-29 165584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 130376]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-7-16 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-29 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113096]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
.
=============== Created Last 30 ================
.
2011-04-08 21:07:57 -------- d-sha-r- C:\cmdcons
2011-04-08 21:04:13 98816 ----a-w- c:\windows\sed.exe
2011-04-08 21:04:13 89088 ----a-w- c:\windows\MBR.exe
2011-04-08 21:04:13 256512 ----a-w- c:\windows\PEV.exe
2011-04-08 21:04:13 161792 ----a-w- c:\windows\SWREG.exe
2011-04-07 15:12:47 17544 ------w- c:\windows\system32\drivers\RkPavproc1.sys
2011-04-06 02:31:27 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-05 02:31:58 -------- d-----w- c:\docume~1\main\applic~1\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\program files\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2011-04-05 01:28:02 -------- d-----w- c:\docume~1\main\applic~1\WinPatrol
2011-04-05 01:27:43 -------- d-----w- c:\program files\BillP Studios
2011-04-05 01:27:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\InstallMate
2011-03-31 23:29:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 23:48:06 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-21 01:17:47 -------- d-----w- C:\tobex_pi_32
2011-03-21 00:47:04 -------- d-----w- C:\Grants-Empire-V1
2011-03-21 00:09:58 -------- d-----w- c:\documents and settings\main\.webstersca_cache_32
2011-03-20 04:42:24 -------- d-----w- c:\program files\Strategy First
2011-03-18 02:45:08 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-03-13 03:19:01 -------- d-----w- c:\program files\iPod
2011-03-13 03:18:42 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
============= FINISH: 8:50:09.07 ===============
Hi again,
Disable WinPatrol's realtime protection.
Right-click the running icon of Winpatrol in the system tray
Choose exit. It will automatically restart at next boot.
Open notepad and copy/paste the text in the quotebox below into it:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370
uInternet Settings,ProxyOverride = *.local
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 24 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version. Uncheck any toolbar installation option if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is not checkmarked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Scans completed. Here are the logs. Thanks.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by MAIN at 15:22:34.06 on Sat 04/09/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.226 [GMT -5:00]
.
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MAIN\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\main\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\main\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\main\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-29 165584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 130376]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-7-16 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-29 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113096]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
.
=============== Created Last 30 ================
.
2011-04-09 18:49:16 -------- d-----w- c:\program files\ESET
2011-04-09 18:46:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-09 18:46:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-08 21:07:57 -------- d-sha-r- C:\cmdcons
2011-04-08 21:04:13 98816 ----a-w- c:\windows\sed.exe
2011-04-08 21:04:13 89088 ----a-w- c:\windows\MBR.exe
2011-04-08 21:04:13 256512 ----a-w- c:\windows\PEV.exe
2011-04-08 21:04:13 161792 ----a-w- c:\windows\SWREG.exe
2011-04-07 15:12:47 17544 ------w- c:\windows\system32\drivers\RkPavproc1.sys
2011-04-06 02:31:27 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-05 02:31:58 -------- d-----w- c:\docume~1\main\applic~1\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\program files\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2011-04-05 01:28:02 -------- d-----w- c:\docume~1\main\applic~1\WinPatrol
2011-04-05 01:27:43 -------- d-----w- c:\program files\BillP Studios
2011-04-05 01:27:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\InstallMate
2011-03-31 23:29:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 23:48:06 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-21 01:17:47 -------- d-----w- C:\tobex_pi_32
2011-03-21 00:47:04 -------- d-----w- C:\Grants-Empire-V1
2011-03-21 00:09:58 -------- d-----w- c:\documents and settings\main\.webstersca_cache_32
2011-03-20 04:42:24 -------- d-----w- c:\program files\Strategy First
2011-03-18 02:45:08 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-03-13 03:19:01 -------- d-----w- c:\program files\iPod
2011-03-13 03:18:42 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
ComboFix 11-04-08.01 - MAIN 04/09/2011 12:47:15.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.322 [GMT -5:00]
Running from: c:\documents and settings\MAIN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MAIN\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Panda Cloud Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
.
.
2011-04-07 15:12 . 2009-10-07 20:28 17544 ------w- c:\windows\system32\drivers\RkPavproc1.sys
2011-04-07 01:15 . 2011-04-07 01:16 -------- d-----w- c:\program files\ERUNT
2011-04-06 02:31 . 2011-04-06 02:31 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-05 02:31 . 2011-04-05 02:31 -------- d-----w- c:\documents and settings\MAIN\Application Data\Panda Security
2011-04-05 02:30 . 2011-04-05 02:30 -------- d-----w- c:\program files\Panda Security
2011-04-05 02:30 . 2011-04-05 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-04-05 01:28 . 2011-04-05 01:28 -------- d-----w- c:\documents and settings\MAIN\Application Data\WinPatrol
2011-04-05 01:27 . 2011-04-05 01:27 -------- d-----w- c:\program files\BillP Studios
2011-04-05 01:27 . 2011-04-05 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-03-31 23:29 . 2011-04-01 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-31 03:09 . 2011-03-31 03:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 23:48 . 2011-03-25 23:48 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-21 01:17 . 2011-03-21 01:19 -------- d-----w- C:\tobex_pi_32
2011-03-21 00:47 . 2011-03-21 00:54 -------- d-----w- C:\Grants-Empire-V1
2011-03-21 00:09 . 2011-03-21 00:14 -------- d-----w- c:\documents and settings\MAIN\.webstersca_cache_32
2011-03-20 04:42 . 2011-03-20 04:42 -------- d-----w- c:\program files\Strategy First
2011-03-18 02:46 . 2011-03-18 02:46 -------- d-----w- c:\documents and settings\Nick\Application Data\Gtek
2011-03-18 02:46 . 2011-03-18 02:46 -------- d-----w- c:\documents and settings\Default User\Application Data\Gtek
2011-03-18 02:45 . 2011-03-18 02:46 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2011-03-13 03:19 . 2011-03-13 03:19 -------- d-----w- c:\program files\iPod
2011-03-13 03:18 . 2011-03-13 03:21 -------- d-----w- c:\program files\iTunes
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-24 20:21 . 2009-08-18 16:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-24 20:21 . 2009-08-18 16:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-18 22:36 . 2010-05-05 03:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2010-05-05 03:35 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-12-16 23:18 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2003-08-04 196096]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-17 4800512]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-03-16 325000]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-02-24 423232]
.
c:\documents and settings\MAIN\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Plus! Photo Story 2 LE\\PS2Trial.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/29/2010 10:54 PM 165584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [12/16/2010 6:12 PM 130376]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [7/16/2003 3:47 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/29/2010 10:54 PM 17744]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [12/16/2010 6:19 PM 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [12/16/2010 6:12 PM 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [12/16/2010 6:12 PM 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [12/16/2010 6:12 PM 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [12/16/2010 6:12 PM 113096]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/30/2010 12:06 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 17:06]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 17:06]
.
2011-04-09 c:\windows\Tasks\User_Feed_Synchronization-{178E2BD5-C78E-45FE-B405-21A849366481}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\MAIN\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\MAIN\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-09 12:57
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-09 13:01:13
ComboFix-quarantined-files.txt 2011-04-09 18:01
ComboFix2.txt 2011-04-08 23:44
.
Pre-Run: 150,638,755,840 bytes free
Post-Run: 150,619,303,936 bytes free
.
- - End Of File - - 023D6BE7628F450371C90CD82014728B
ESET LOG
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ConducentTimeSink.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{7239325D-6CB9-4192-AF82-F6964C5EB97F}\RP1\A0001126.dll Win32/Toolbar.Zugo application
.
============= FINISH: 15:23:24.90 ===============
Hi,
Delete C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ConducentTimeSink.zip file. How's the system running now?
It seems to be running pretty well.
The only issue is that if you double click on the Internet Explore icon, it has trouble connecting. If you right click and then click open it connects right away. Other than that everything seems fine. Thanks again.
Hi,
Does it give any errors when you double click the internet explorer icon?
No it does not. It just says it's connecting but it never does.
Hi,
Right click the Internet Explorer icon and list down all the options available there.
Here is the list:
Open
Run As...
Scan iexplorer.exe
Pin To Start
Scan with Panda Cloud
Scan with Malware Bytes
Send To
Cut
Copy
Create Shortcut
Delete
Rename
Property
Hi,
I see you don't have service pack 3 for Windows XP installed yet. Let's see if installing it helps with IE issue too. Post back fresh dds logs when SP3 has been installed.
Yes, sorry been out of town. I've updated all of the Microsoft items. Here are theDDs logs.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by MAIN at 22:16:08.34 on Fri 04/22/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.341 [GMT -5:00]
.
AV: Panda Cloud Antivirus *Enabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MAIN\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Charter Toolbar: {4e7bd74f-2b8d-469e-85ab-af21f3d9ae2f} - c:\progra~1\charte~1\CHARTE~1.DLL
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\main\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\main\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to iPod Converter - c:\documents and settings\main\application data\dvdvideosoftiehelpers\freeyoutubetoipodconverter.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\main\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-29 165584]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-12-16 130376]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2003-7-16 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-29 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-12-16 140608]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-12-16 141768]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-12-16 97352]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-12-16 111944]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-12-16 113096]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-29 40384]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-3-24 126696]
.
=============== Created Last 30 ================
.
2011-04-21 04:26:59 -------- d-----w- c:\program files\iPod
2011-04-21 04:26:40 -------- d-----w- c:\program files\iTunes
2011-04-18 03:21:13 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-04-18 03:20:21 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-04-18 03:18:42 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-04-18 03:18:41 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-04-18 03:15:04 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-04-18 01:10:28 -------- d-----w- c:\windows\system32\scripting
2011-04-18 01:10:26 -------- d-----w- c:\windows\l2schemas
2011-04-18 01:10:25 -------- d-----w- c:\windows\system32\en
2011-04-18 01:10:24 -------- d-----w- c:\windows\system32\bits
2011-04-18 01:04:48 -------- d-----w- c:\windows\network diagnostic
2011-04-17 05:50:57 -------- d-----w- C:\f9c07d82e748510f25c1
2011-04-13 02:17:06 -------- d-----w- c:\program files\Audacity
2011-04-12 01:39:29 -------- d-----r- C:\Sandbox
2011-04-12 01:38:02 -------- d-----w- c:\program files\Sandboxie
2011-04-09 18:46:41 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-09 18:46:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-08 21:07:57 -------- d-sha-r- C:\cmdcons
2011-04-08 21:04:13 98816 ----a-w- c:\windows\sed.exe
2011-04-08 21:04:13 89088 ----a-w- c:\windows\MBR.exe
2011-04-08 21:04:13 256512 ----a-w- c:\windows\PEV.exe
2011-04-08 21:04:13 161792 ----a-w- c:\windows\SWREG.exe
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 02:31:27 -------- d-----w- c:\windows\system32\GroupPolicy
2011-04-05 02:31:58 -------- d-----w- c:\docume~1\main\applic~1\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\program files\Panda Security
2011-04-05 02:30:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\Panda Security
2011-04-05 01:28:02 -------- d-----w- c:\docume~1\main\applic~1\WinPatrol
2011-04-05 01:27:43 -------- d-----w- c:\program files\BillP Studios
2011-04-05 01:27:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\InstallMate
2011-03-31 23:29:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-31 03:09:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-25 23:48:06 4284416 ----a-w- c:\windows\system32\GPhotos.scr
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 22:22:49.42 ===============
Hi,
Is that IE issue still present?
Hi,
When you right click Internet Explorer icon on your desktop is one of the options listed there really "Scan iexplorer.exe" or is it "Scan iexplore.exe"?
scan iexplore.exe. No r at the end.
Hi,
At this point we can uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Report back how IE behaves after that.
Sometimes it works with a double-click. Sometimes you have to right click and then select open. I can live with that. Unless there's something else you can think of. Thanks for all your help.
Hi,
Disk check (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx) + hard drive defrag may help. Before that though, I'd make sure there's one antivirus program installed only (you seem to have both Avast and Panda Cloud Antivirus installed there).
Due to inactivity, this thread will now be closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.