View Full Version : Windows-XP Dell 4550-Incomplete Repair
I have a Dell Dimension running Windows XP that was seriously attacked. The computer would not run well (not even in safe mode) so I performed the procedure below in an attempt to remove the infestation and repair myself. I know I should have contacted you earlier; but better late than never.
Edit: http://forums.spybot.info/showthread.php?p=404974#post404974
1. Removed the hard drive and installed in another computer.
2. Utilized Spybot and Malwarebytes anti malware programs to clean the disk from the other computer.
3. Reinstalled the disk into the Dell and system would not boot.
4. Utilized the XP Recovery console to restore the master boot record.
5. Now the computer can boot, but many errors and can not run most programs.
6. Used the XP installation disk to do a system restore/repair.
7. System still has significant issues; but am now able to run the pre post procedures.
8. backed up the Registry with ERUNT
9. Ran DDS see below and attached
10. Spybot is still detecting errors as follows:
Virtumonde.prx
Fraud.DesktopSecurity2010
Fraud.HDDDefragmenter
FraudInternetSecurity2011
MicrosoftWindows.AppFirewallBypass
MircosoftWindowsSecurityCenter.FirewallBypass
Win32.FraudLoader.edt
Thanks so much!!!
Roger
---------------------- DDS Log -------------------------------------------
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2800.1106
Run by Christara at 2:11:03 on 2011-06-23
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.227 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe -k itlsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: {868cdff6-81ae-451f-a89e-7ae501bbfab9} - c:\windows\system32\dpnhupn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [ladarujaz] Rundll32.exe "c:\windows\system32\mutipuyu.dll",a
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SelectRebates] c:\program files\selectrebates\SelectRebates.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
mRun: [DXDllRegExe] c:\windows\registeredpackages\{44bba855-cc51-11cf-aafa-00aa00b6015c}\dxdllreg.exe
mRun: [SchedulingAgent] mstinit.exe /firstlogon
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [R8388QA8U8] c:\windows\temp\Sth.exe
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRun: [5GUTNY6MFK] c:\windows\temp\Stg.exe
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paypal~1.lnk - c:\program files\paypal\payment wizard\outlook express\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snsicon.lnk - c:\program files\second nature\Snsicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winkey.lnk - c:\program files\winkey\WinKey.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download using Download &Express - file://c:\windows\system32\metaproducts\Add_Url.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{3FE8BD33-6964-40A9-AD2C-97B3A6D16929} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
AppInit_DLLs: c:\windows\system32\nihedufo.dll sivamube.dll c:\windows\system32\mutipuyu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: joguvebez - {f8cbc64e-9611-47e1-a07b-375d763aac0a} - No File
SSODL: kavejovir - {752584fa-e18b-4a69-b452-0c1efc86d167} - No File
STS: {f8cbc64e-9611-47e1-a07b-375d763aac0a} - No File
STS: {752584fa-e18b-4a69-b452-0c1efc86d167} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli yagepodo.dll
.
============= SERVICES / DRIVERS ===============
.
R2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2002-9-3 12800]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-9-19 45312]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-23 1251720]
S1 iiqmmsvh;iiqmmsvh;\??\c:\windows\system32\drivers\iiqmmsvh.sys --> c:\windows\system32\drivers\iiqmmsvh.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
S1 MpKsl15bad665;MpKsl15bad665;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl15bad665.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl15bad665.sys [?]
S1 MpKsl40f73b73;MpKsl40f73b73;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl40f73b73.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl40f73b73.sys [?]
S1 MpKsl4d44bc6b;MpKsl4d44bc6b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\mpksl4d44bc6b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\MpKsl4d44bc6b.sys [?]
S1 MpKsla353c698;MpKsla353c698;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\mpksla353c698.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\MpKsla353c698.sys [?]
S1 MpKslb78e1369;MpKslb78e1369;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpkslb78e1369.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKslb78e1369.sys [?]
S2 GoogleUpdateBeta;Google Update Service;c:\documents and settings\localservice\local settings\application data\google\update\googleupdatebeta.exe /svc --> c:\documents and settings\localservice\local settings\application data\google\update\GoogleUpdateBeta.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
.
=============== Created Last 30 ================
.
2011-06-23 08:10:49 -------- d-----w- C:\8deaa65787caeaf7444d50834175
2011-06-23 08:10:46 20480 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-23 08:05:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-06-23 08:04:58 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-06-23 08:03:57 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2011-06-23 08:00:33 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2011-06-23 07:58:19 189440 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2011-06-23 07:58:19 139776 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2011-06-23 07:48:04 7046 ----a-r- c:\windows\SET9A.tmp
2011-06-23 07:48:02 13608 ----a-r- c:\windows\SET7C.tmp
2011-06-23 07:47:58 1086182 ----a-r- c:\windows\SET65.tmp
2011-06-23 07:37:10 -------- d-----w- C:\Recovery
2011-05-25 00:02:29 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-05-25 00:02:29 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-05-25 00:02:29 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-05-25 00:02:29 13312 ----a-w- c:\windows\system32\irclass.dll
2011-05-25 00:02:01 7046 ----a-r- c:\windows\SETA4.tmp
2011-05-25 00:02:00 13608 ----a-r- c:\windows\SET86.tmp
2011-05-25 00:01:56 1086182 ----a-r- c:\windows\SET71.tmp
2011-05-24 22:30:59 49152 -c--a-w- c:\windows\system32\dllcache\msador15.dll
2011-05-24 22:28:47 272896 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2011-05-24 22:25:56 5888 ----a-w- c:\windows\system32\drivers\splitter.sys
2011-05-24 22:25:51 50048 ----a-w- c:\windows\system32\drivers\DMusic.sys
2011-05-24 22:19:11 7046 ----a-r- c:\windows\SET93.tmp
2011-05-24 22:19:09 13608 ----a-r- c:\windows\SET75.tmp
2011-05-24 22:19:05 1086182 ----a-r- c:\windows\SET60.tmp
2011-05-24 21:43:14 56576 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-05-24 21:13:01 38024 ----a-w- c:\windows\system32\drivers\termdd.sys
2011-05-24 21:10:16 696320 -c--a-w- c:\windows\system32\dllcache\sapi.dll
2011-05-24 21:10:16 696320 ----a-w- c:\program files\common files\microsoft shared\speech\sapi.dll
2011-05-24 21:10:14 22016 -c--a-w- c:\windows\system32\dllcache\agt0408.dll
2011-05-24 21:10:14 19968 -c--a-w- c:\windows\system32\dllcache\agt040e.dll
2011-05-24 21:10:14 19456 -c--a-w- c:\windows\system32\dllcache\agt041f.dll
2011-05-24 21:10:14 19456 -c--a-w- c:\windows\system32\dllcache\agt0419.dll
2011-05-24 21:10:14 19456 -c--a-w- c:\windows\system32\dllcache\agt0415.dll
2011-05-24 21:10:14 19456 -c--a-w- c:\windows\system32\dllcache\agt0405.dll
2011-05-24 21:10:08 132096 ----a-w- c:\windows\system\WINSPOOL.DRV
2011-05-24 21:10:08 10496 -c--a-w- c:\windows\system32\dllcache\irenum.sys
2011-05-24 21:10:08 10496 ----a-w- c:\windows\system32\drivers\irenum.sys
2011-05-24 21:10:07 71168 ----a-w- c:\windows\system32\storprop.dll
2011-05-24 21:09:38 7046 ----a-r- c:\windows\SET174.tmp
2011-05-24 21:09:36 13608 ----a-r- c:\windows\SET156.tmp
2011-05-24 21:09:32 1086182 ----a-r- c:\windows\SET141.tmp
.
==================== Find3M ====================
.
2011-05-07 14:48:17 215552 ------w- c:\windows\system32\itlpfw32.dll
.
============= FINISH: 2:12:01.10 ===============
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Procedures performed per your request.
Thanks,
Roger
----------------------------------------
ComboFix 11-06-29.06 - Christara 06/29/2011 21:19:13.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.251 [GMT -7:00]
Running from: c:\documents and settings\Christara\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Christara\WINDOWS
c:\program files\SelectRebates
c:\program files\SelectRebates\FFToolbar\chrome.manifest
c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar
c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js
c:\program files\SelectRebates\FFToolbar\install.rdf
c:\program files\SelectRebates\SahImages\alert.png
c:\program files\SelectRebates\SahImages\check.png
c:\program files\SelectRebates\SahImages\close.png
c:\program files\SelectRebates\SelectAlerts.dat
c:\program files\SelectRebates\SelectRebates.exe
c:\program files\SelectRebates\SelectRebates.ini
c:\program files\SelectRebates\SelectRebatesA.dat
c:\program files\SelectRebates\SelectRebatesApi.exe
c:\program files\SelectRebates\SelectRebatesB.dat
c:\program files\SelectRebates\SelectRebatesBT.dat
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\program files\SelectRebates\SelectRebatesH.dat
c:\program files\SelectRebates\SelectRebatesUninstall.exe
c:\program files\SelectRebates\SRebates.dll
c:\program files\SelectRebates\SRFF3.dll
c:\program files\SelectRebates\Toolbar\AddtoList.bmp
c:\program files\SelectRebates\Toolbar\basis.xml
c:\program files\SelectRebates\Toolbar\Basis.xml.dym
c:\program files\SelectRebates\Toolbar\Blank.bmp
c:\program files\SelectRebates\Toolbar\CashBack.bmp
c:\program files\SelectRebates\Toolbar\Coupons.bmp
c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp
c:\program files\SelectRebates\Toolbar\i_magnifying.bmp
c:\program files\SelectRebates\Toolbar\icons.bmp
c:\program files\SelectRebates\Toolbar\logo.bmp
c:\program files\SelectRebates\Toolbar\logo_24.bmp
c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp
c:\program files\SelectRebates\Toolbar\ReviewSite.bmp
c:\program files\SelectRebates\Toolbar\RightControls.dym
c:\program files\SelectRebates\Toolbar\sahtb-alert.bmp
c:\program files\SelectRebates\Toolbar\sahtb-go.bmp
c:\program files\SelectRebates\Toolbar\sahtb-grocerycoupons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-icons.bmp
c:\program files\SelectRebates\Toolbar\sahtb-restaurant.bmp
c:\program files\SelectRebates\Toolbar\sahtb-wishlist.bmp
c:\program files\SelectRebates\Toolbar\Scissors.bmp
c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
c:\windows\patch.exe
c:\windows\system32\bihobepi.dll.tmp
c:\windows\system32\drivers\rotscxnkjdpoas.sys
c:\windows\system32\itlpfw32.dll
c:\windows\system32\kbiwkmdbnsigkt.dll
c:\windows\system32\kbiwkmoownaxlt.dat
c:\windows\system32\logon.exe
c:\windows\system32\payezavu.dll.tmp
c:\windows\system32\rnaph.dll
c:\windows\system32\rotscxtvtmwear.dat
c:\windows\system32\rotscxuapjxxqk.dll
c:\windows\system32\sawetuna.dll.tmp
c:\windows\TEMP\nsj22.tmp\System.dll
.
c:\windows\system32\qmgr.dll . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GOOGLEUPDATEBETA
-------\Legacy_ITLPERF
-------\Legacy_rotscxllkdptum
-------\Service_GoogleUpdateBeta
-------\Service_itlperf
-------\Service_rotscxllkdptum
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-23 09:06 . 2011-06-23 09:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\PCHealth
2011-06-23 09:01 . 2011-06-23 09:01 -------- d-----w- c:\program files\ERUNT
2011-06-23 08:10 . 2011-06-23 08:11 -------- d-----w- C:\8deaa65787caeaf7444d50834175
2011-06-23 08:10 . 2002-08-29 10:40 20480 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-23 08:05 . 2001-08-18 05:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-06-23 08:04 . 2002-09-03 16:24 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-06-23 08:03 . 2002-05-14 19:08 208896 -c--a-w- c:\windows\system32\dllcache\fpmmcsat.dll
2011-06-23 08:00 . 2002-09-03 17:07 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2011-06-23 07:58 . 2004-08-03 21:07 1081112 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2011-06-23 07:58 . 2004-08-03 21:02 113944 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2011-06-23 07:48 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SET9A.tmp
2011-06-23 07:48 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET7C.tmp
2011-06-23 07:47 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET65.tmp
2011-06-23 07:37 . 2011-06-23 09:23 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-09 19:48 . 2011-05-09 19:48 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKslc7ff3501.sys
2011-05-08 17:21 . 2011-05-08 17:21 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKslc7709c45.sys
2011-05-08 08:40 . 2011-05-08 08:40 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKsl25a79e78.sys
2011-05-08 08:21 . 2011-05-08 08:21 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKsl06c27275.sys
2011-04-11 07:04 . 2011-05-07 08:54 7071056 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\mpengine.dll
2011-04-11 07:04 . 2010-02-20 10:06 7071056 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\wscntfy.exe
.
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\xmlprov.dll
.
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\DRIVERS\ip6fw.sys
.
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\SYSTEM32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-05 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-04 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-04 160592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-09-03 51200]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2002-09-03 40960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-7-22 577597]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PayPal Plug-In for Outlook Express.lnk - c:\program files\PayPal\Payment Wizard\Outlook Express\OEHook.exe [2006-6-12 102400]
Snsicon.lnk - c:\program files\Second Nature\Snsicon.exe [2011-2-1 86016]
WinKey.lnk - c:\program files\WinKey\WinKey.exe [2003-4-7 99840]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ------w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-04-23 11:16 214560 ------w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\PayPal\\Payment Wizard\\Outlook Express\\OEHook.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [9/19/2009 8:04 AM 45312]
S1 iiqmmsvh;iiqmmsvh;\??\c:\windows\system32\drivers\iiqmmsvh.sys --> c:\windows\system32\drivers\iiqmmsvh.sys [?]
S1 MpKsl15bad665;MpKsl15bad665;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl15bad665.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl15bad665.sys [?]
S1 MpKsl40f73b73;MpKsl40f73b73;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl40f73b73.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl40f73b73.sys [?]
S1 MpKsl4d44bc6b;MpKsl4d44bc6b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22D8DFD2-293F-46F4-B0B4-80FC0AB43736}\MpKsl4d44bc6b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22D8DFD2-293F-46F4-B0B4-80FC0AB43736}\MpKsl4d44bc6b.sys [?]
S1 MpKsla353c698;MpKsla353c698;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{88995069-B1E3-4094-B3B6-C3F6AA376A75}\MpKsla353c698.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{88995069-B1E3-4094-B3B6-C3F6AA376A75}\MpKsla353c698.sys [?]
S1 MpKslb78e1369;MpKslb78e1369;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKslb78e1369.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKslb78e1369.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2010 4:59 AM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2010 4:59 AM 136176]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-27 11:59]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-27 11:59]
.
2011-06-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download using Download &Express - file://c:\windows\System32\MetaProducts\Add_Url.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\SYSTEM32\MetaProducts\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\SYSTEM32\MetaProducts\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\SYSTEM32\MetaProducts\mdpph.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{868CDFF6-81AE-451F-A89E-7AE501BBFAB9} - c:\windows\system32\dpnhupn.dll
HKLM-Run-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe
SharedTaskScheduler-{f8cbc64e-9611-47e1-a07b-375d763aac0a} - (no file)
SharedTaskScheduler-{752584fa-e18b-4a69-b452-0c1efc86d167} - (no file)
SSODL-joguvebez-{f8cbc64e-9611-47e1-a07b-375d763aac0a} - (no file)
SSODL-kavejovir-{752584fa-e18b-4a69-b452-0c1efc86d167} - (no file)
Notify-itlntfy - itlnfw32.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-29 21:46
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
c:\windows\System32\msctfime.ime
.
- - - - - - - > 'lsass.exe'(716)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(1536)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
c:\windows\System32\msctfime.ime
c:\program files\Windows Media Player\wmpband.dll
c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll
c:\windows\System32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\System32\WgaTray.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\recovery\dds.scr
.
**************************************************************************
.
Completion time: 2011-06-29 21:55:56 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-30 04:55
.
Pre-Run: 27,583,090,688 bytes free
Post-Run: 32,162,414,592 bytes free
.
winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
.
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 88B5458A0E010C3E886CCBE6EB610FF4
_________________________________________________________________
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2800.1106
Run by Christara at 1:41:59 on 2011-06-30
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.150 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\WinKey\WinKey.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paypal~1.lnk - c:\program files\paypal\payment wizard\outlook express\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snsicon.lnk - c:\program files\second nature\Snsicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winkey.lnk - c:\program files\winkey\WinKey.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download using Download &Express - file://c:\windows\system32\metaproducts\Add_Url.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{3FE8BD33-6964-40A9-AD2C-97B3A6D16929} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-9-19 45312]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-23 1251720]
S1 iiqmmsvh;iiqmmsvh;\??\c:\windows\system32\drivers\iiqmmsvh.sys --> c:\windows\system32\drivers\iiqmmsvh.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
S1 MpKsl15bad665;MpKsl15bad665;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl15bad665.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl15bad665.sys [?]
S1 MpKsl40f73b73;MpKsl40f73b73;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl40f73b73.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl40f73b73.sys [?]
S1 MpKsl4d44bc6b;MpKsl4d44bc6b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\mpksl4d44bc6b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\MpKsl4d44bc6b.sys [?]
S1 MpKsla353c698;MpKsla353c698;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\mpksla353c698.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\MpKsla353c698.sys [?]
S1 MpKslb78e1369;MpKslb78e1369;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpkslb78e1369.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKslb78e1369.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
.
=============== Created Last 30 ================
.
2011-06-30 04:14:41 -------- d-sha-r- C:\cmdcons
2011-06-30 04:11:59 98816 ----a-w- c:\windows\sed.exe
2011-06-30 04:11:59 518144 ----a-w- c:\windows\SWREG.exe
2011-06-30 04:11:59 256000 ----a-w- c:\windows\PEV.exe
2011-06-30 04:11:59 208896 ----a-w- c:\windows\MBR.exe
2011-06-23 09:21:25 167704 ----a-w- c:\windows\system32\wuaucpl.cpl
2011-06-23 08:10:49 -------- d-----w- C:\8deaa65787caeaf7444d50834175
2011-06-23 08:10:46 20480 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-23 08:05:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-06-23 08:04:58 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-06-23 08:03:57 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2011-06-23 08:00:33 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2011-06-23 07:58:19 113944 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2011-06-23 07:58:19 1081112 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2011-06-23 07:48:04 7046 ----a-r- c:\windows\SET9A.tmp
2011-06-23 07:48:02 13608 ----a-r- c:\windows\SET7C.tmp
2011-06-23 07:47:58 1086182 ----a-r- c:\windows\SET65.tmp
2011-06-23 07:37:10 -------- d-----w- C:\Recovery
.
==================== Find3M ====================
.
.
============= FINISH: 1:42:43.62 ===============
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
iiqmmsvh
File::
c:\windows\system32\drivers\iiqmmsvh.sys
DDS::
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Ad-Aware SE Personal is not supported anymore and should be uninstalled.
Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 26 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
All requested steps performed as follows:
1. ComboFix ran with CFScript. See log below
2. Ad-Aware SE removed
3. Adobe Reader and Java removed/updated
4. online scanner from ESET ran. Results on screen: "no threats found" No log file was created
5. See DDS log file below.
Computer is basically working. I am noting the following: Browser tries to go to http://xtoff// at startup. Changing the home position does not change this. DDS keeps randomly running without being initiated by me.
I need some recommendations for antivirus/anti-malware software. Have been running AGV, but I am finding that it seriously slows down older computers with limited resources
Thank you soo much for your help!!
Roger
_________________________________________________________
ComboFix 11-06-30.02 - Christara 06/30/2011 9:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.162 [GMT -7:00]
Running from: c:\documents and settings\Christara\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christara\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
FILE ::
"c:\windows\system32\drivers\iiqmmsvh.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\nsh30.tmp\System.dll
.
Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\qmgr.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_iiqmmsvh
.
.
((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))
.
.
2011-06-23 09:06 . 2011-06-23 09:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\PCHealth
2011-06-23 09:01 . 2011-06-23 09:01 -------- d-----w- c:\program files\ERUNT
2011-06-23 08:10 . 2011-06-23 08:11 -------- d-----w- C:\8deaa65787caeaf7444d50834175
2011-06-23 08:10 . 2002-08-29 10:40 20480 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-23 08:05 . 2001-08-18 05:36 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-06-23 08:04 . 2002-09-03 16:24 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-06-23 08:03 . 2002-05-14 19:08 208896 -c--a-w- c:\windows\system32\dllcache\fpmmcsat.dll
2011-06-23 08:00 . 2002-09-03 17:07 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2011-06-23 07:58 . 2004-08-03 21:07 1081112 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2011-06-23 07:58 . 2004-08-03 21:02 113944 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2011-06-23 07:37 . 2011-06-23 09:23 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-09 19:48 . 2011-05-09 19:48 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKslc7ff3501.sys
2011-05-08 17:21 . 2011-05-08 17:21 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKslc7709c45.sys
2011-05-08 08:40 . 2011-05-08 08:40 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKsl25a79e78.sys
2011-05-08 08:21 . 2011-05-08 08:21 28752 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\MpKsl06c27275.sys
2011-04-11 07:04 . 2011-05-07 08:54 7071056 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E92F5B7C-9BAE-4232-9367-314193274A19}\mpengine.dll
2011-04-11 07:04 . 2010-02-20 10:06 7071056 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\wscntfy.exe
.
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\xmlprov.dll
.
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\DRIVERS\ip6fw.sys
.
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\SYSTEM32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-04 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-23 185896]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-06-15 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2007-12-24 618496]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-04-04 160592]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2002-09-03 51200]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2002-09-03 40960]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-3 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-7-22 577597]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
PayPal Plug-In for Outlook Express.lnk - c:\program files\PayPal\Payment Wizard\Outlook Express\OEHook.exe [2006-6-12 102400]
Snsicon.lnk - c:\program files\Second Nature\Snsicon.exe [2011-2-1 86016]
WinKey.lnk - c:\program files\WinKey\WinKey.exe [2003-4-7 99840]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2002-12-17 18:28 684032 ------w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 06:46 57344 ------w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-04-23 11:16 214560 ------w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\PayPal\\Payment Wizard\\Outlook Express\\OEHook.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [9/19/2009 8:04 AM 45312]
S1 MpKsl15bad665;MpKsl15bad665;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl15bad665.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl15bad665.sys [?]
S1 MpKsl40f73b73;MpKsl40f73b73;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl40f73b73.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKsl40f73b73.sys [?]
S1 MpKsl4d44bc6b;MpKsl4d44bc6b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22D8DFD2-293F-46F4-B0B4-80FC0AB43736}\MpKsl4d44bc6b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22D8DFD2-293F-46F4-B0B4-80FC0AB43736}\MpKsl4d44bc6b.sys [?]
S1 MpKsla353c698;MpKsla353c698;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{88995069-B1E3-4094-B3B6-C3F6AA376A75}\MpKsla353c698.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{88995069-B1E3-4094-B3B6-C3F6AA376A75}\MpKsla353c698.sys [?]
S1 MpKslb78e1369;MpKslb78e1369;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKslb78e1369.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{33D6FEA7-330F-4E8C-8B0B-0020BB97A40C}\MpKslb78e1369.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2010 4:59 AM 136176]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/27/2010 4:59 AM 136176]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-27 11:59]
.
2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-27 11:59]
.
2011-06-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download using Download &Express - file://c:\windows\System32\MetaProducts\Add_Url.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\SYSTEM32\MetaProducts\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\SYSTEM32\MetaProducts\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\SYSTEM32\MetaProducts\mdpph.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-30 09:31
Windows 5.1.2600 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(660)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
c:\windows\System32\msctfime.ime
.
- - - - - - - > 'lsass.exe'(716)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
c:\windows\System32\dssenh.dll
.
- - - - - - - > 'explorer.exe'(172)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
c:\windows\System32\msctfime.ime
c:\program files\Windows Media Player\wmpband.dll
c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll
c:\windows\System32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\System32\WgaTray.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\recovery\dds.scr
c:\windows\TEMP\nsyF.tmp\PEV.DAT
.
**************************************************************************
.
Completion time: 2011-06-30 09:39:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-30 16:39
ComboFix2.txt 2011-06-30 04:55
.
Pre-Run: 32,154,836,992 bytes free
Post-Run: 32,120,217,600 bytes free
.
- - End Of File - - 57A023AE921C802FCCA6D50BD46F05DA
___________________________________________________________
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2800.1106
Run by Christara at 13:12:52 on 2011-06-30
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.206 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\WinKey\WinKey.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NOS\bin\getPlusPlus_Adobe.exe
C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper
C:\WINDOWS\System32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\program files\nos\bin\getPlusUninst_Adobe.exe" /Get1noarp
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paypal~1.lnk - c:\program files\paypal\payment wizard\outlook express\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snsicon.lnk - c:\program files\second nature\Snsicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winkey.lnk - c:\program files\winkey\WinKey.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download using Download &Express - file://c:\windows\system32\metaproducts\Add_Url.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{3FE8BD33-6964-40A9-AD2C-97B3A6D16929} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-9-19 45312]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-23 1251720]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2002-9-3 12800]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
S1 MpKsl15bad665;MpKsl15bad665;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl15bad665.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl15bad665.sys [?]
S1 MpKsl40f73b73;MpKsl40f73b73;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl40f73b73.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl40f73b73.sys [?]
S1 MpKsl4d44bc6b;MpKsl4d44bc6b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\mpksl4d44bc6b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\MpKsl4d44bc6b.sys [?]
S1 MpKsla353c698;MpKsla353c698;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\mpksla353c698.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\MpKsla353c698.sys [?]
S1 MpKslb78e1369;MpKslb78e1369;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpkslb78e1369.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKslb78e1369.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
.
=============== Created Last 30 ================
.
2011-06-30 17:49:14 -------- d-----w- c:\program files\ESET
2011-06-30 17:44:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-30 17:34:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-30 04:14:41 -------- d-sha-r- C:\cmdcons
2011-06-30 04:11:59 98816 ----a-w- c:\windows\sed.exe
2011-06-30 04:11:59 518144 ----a-w- c:\windows\SWREG.exe
2011-06-30 04:11:59 256000 ----a-w- c:\windows\PEV.exe
2011-06-30 04:11:59 208896 ----a-w- c:\windows\MBR.exe
2011-06-23 09:21:25 167704 ----a-w- c:\windows\system32\wuaucpl.cpl
2011-06-23 08:10:49 -------- d-----w- C:\8deaa65787caeaf7444d50834175
2011-06-23 08:10:46 20480 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-23 08:05:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-06-23 08:04:58 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-06-23 08:03:57 598071 -c--a-w- c:\windows\system32\dllcache\fpmmc.dll
2011-06-23 08:00:33 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2011-06-23 07:58:19 113944 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2011-06-23 07:58:19 1081112 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2011-06-23 07:48:04 7046 ----a-r- c:\windows\SET9A.tmp
2011-06-23 07:48:02 13608 ----a-r- c:\windows\SET7C.tmp
2011-06-23 07:47:58 1086182 ----a-r- c:\windows\SET65.tmp
2011-06-23 07:37:10 -------- d-----w- C:\Recovery
2011-06-06 19:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
.
============= FINISH: 13:14:06.43 ===============
Hi,
Before we do anything else let's get Windows service pack 2 (http://www.microsoft.com/download/en/details.aspx?id=28) and Internet Explorer 8 (http://www.microsoft.com/download/en/details.aspx?id=43) installed.
Post back fresh dds.txt log when done.
Hi,
As requested the following was performed:
1. Installed SP-2—files were downloaded, installed and system was rebooted. Upon reboot the system hung with windows logo in the center of the screen. Below the screen the message was “please wait ....”. After waiting an adequate amount of time (~ 4hrs). I powered down and rebooted. This time the boot was successful and the system properties showed that SP-2 was installed.
2. Note DDS is still running repetitively without operator initiation.
3. Installed all “express” (priority) updates. A total of 71 updates. Rebooted successfully.
4. Installed SP-3--files were downloaded, installed and system was rebooted. Upon reboot the system hung with windows logo in the center of the screen (exactly the same as when SP-2 was installed. Powered down rebooted and system appears to be OK.
5. Installed Explorer 8.0
6. Ran DDS (see log below)
Thank you!!!
Roger
__________________________________________________________
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Christara at 23:46:05 on 2011-07-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.127 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\WinKey\WinKey.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\msiexec.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paypal~1.lnk - c:\program files\paypal\payment wizard\outlook express\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snsicon.lnk - c:\program files\second nature\Snsicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winkey.lnk - c:\program files\winkey\WinKey.exe
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incred~1\bin\resources\WebMenuImg.htm
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download using Download &Express - file://c:\windows\system32\metaproducts\Add_Url.htm
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
TCP: Interfaces\{3FE8BD33-6964-40A9-AD2C-97B3A6D16929} : DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Name-Space Handler: ftp\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: http\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
Name-Space Handler: https\HIEClickCatcher - {E131C96E-4DDB-11D4-84B8-008048B33DEA} - c:\windows\system32\metaproducts\mdpph.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 MpKslf91c37ef;MpKslf91c37ef;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e92f5b7c-9bae-4232-9367-314193274a19}\MpKslf91c37ef.sys [2011-7-3 28752]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-9-19 45312]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-4-23 1251720]
S1 MpKsl15bad665;MpKsl15bad665;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl15bad665.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl15bad665.sys [?]
S1 MpKsl40f73b73;MpKsl40f73b73;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpksl40f73b73.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKsl40f73b73.sys [?]
S1 MpKsl4d44bc6b;MpKsl4d44bc6b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\mpksl4d44bc6b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{22d8dfd2-293f-46f4-b0b4-80fc0ab43736}\MpKsl4d44bc6b.sys [?]
S1 MpKsla353c698;MpKsla353c698;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\mpksla353c698.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{88995069-b1e3-4094-b3b6-c3f6aa376a75}\MpKsla353c698.sys [?]
S1 MpKslb78e1369;MpKslb78e1369;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\mpkslb78e1369.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{33d6fea7-330f-4e8c-8b0b-0020bb97a40c}\MpKslb78e1369.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-27 136176]
.
=============== Created Last 30 ================
.
2011-07-03 16:09:21 -------- d-sh--w- c:\documents and settings\christara\PrivacIE
2011-07-03 10:18:37 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e92f5b7c-9bae-4232-9367-314193274a19}\MpKslf91c37ef.sys
2011-07-03 10:17:31 -------- d-sh--w- c:\documents and settings\christara\IETldCache
2011-07-03 07:49:52 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-07-03 07:49:11 -------- d-----w- c:\windows\ie8updates
2011-07-03 07:48:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-03 07:48:40 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-03 07:48:40 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-03 07:48:40 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-03 07:48:40 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-07-03 07:48:38 11081728 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-07-03 07:48:37 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-03 07:42:52 -------- dc-h--w- c:\windows\ie8
2011-07-03 07:24:25 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-03 07:24:15 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-07-03 07:17:13 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-07-03 07:16:51 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-07-03 07:16:28 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-07-03 07:16:02 978944 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-07-03 07:16:02 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-07-03 07:15:23 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-07-03 04:11:05 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2011-07-03 04:11:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2011-07-03 04:09:50 19569 ----a-w- c:\windows\005846_.tmp
2011-07-03 02:31:30 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-07-03 02:26:55 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-07-03 02:25:14 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-07-03 02:25:13 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-07-03 02:24:59 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-07-03 02:22:06 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-07-03 02:21:01 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2011-07-03 02:19:12 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-07-03 02:19:12 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-07-03 02:19:12 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-07-03 02:19:12 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-07-03 02:19:12 110592 -c----w- c:\windows\system32\dllcache\services.exe
2011-07-03 02:19:11 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-07-03 02:19:10 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2011-07-03 02:19:09 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-07-03 02:19:09 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-07-03 02:19:09 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-07-03 02:19:08 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-07-03 02:19:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-07-03 02:17:44 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-07-03 02:17:36 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-07-03 02:17:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-07-03 02:16:22 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-07-02 17:55:44 -------- d-----w- c:\windows\system32\wbem\repository.001\FS
2011-07-02 17:55:44 -------- d-----w- c:\windows\system32\wbem\Repository.001
2011-07-02 16:49:16 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-07-02 16:49:16 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2011-06-30 17:49:14 -------- d-----w- c:\program files\ESET
2011-06-30 17:44:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-30 17:34:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-30 04:14:41 -------- d-sha-r- C:\cmdcons
2011-06-30 04:11:59 98816 ----a-w- c:\windows\sed.exe
2011-06-30 04:11:59 518144 ----a-w- c:\windows\SWREG.exe
2011-06-30 04:11:59 256000 ----a-w- c:\windows\PEV.exe
2011-06-30 04:11:59 208896 ----a-w- c:\windows\MBR.exe
2011-06-23 09:21:25 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2011-06-23 08:10:49 -------- d-----w- C:\8deaa65787caeaf7444d50834175
2011-06-23 08:10:46 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2011-06-23 08:05:59 57856 -c--a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-06-23 08:04:58 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-06-23 08:00:33 73728 -c--a-w- c:\windows\system32\dllcache\icwtutor.exe
2011-06-23 08:00:33 73728 ----a-w- c:\program files\internet explorer\connection wizard\icwtutor.exe
2011-06-23 08:00:33 61440 -c--a-w- c:\windows\system32\dllcache\icwres.dll
2011-06-23 08:00:33 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwres.dll
2011-06-23 08:00:33 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwconn.dll
2011-06-23 08:00:33 49152 ----a-w- c:\program files\internet explorer\connection wizard\icwutil.dll
2011-06-23 08:00:33 40960 -c--a-w- c:\windows\system32\dllcache\trialoc.dll
2011-06-23 08:00:33 40960 ----a-w- c:\program files\internet explorer\connection wizard\trialoc.dll
2011-06-23 08:00:33 24576 ----a-w- c:\program files\internet explorer\connection wizard\icwrmind.exe
2011-06-23 08:00:33 172032 ----a-w- c:\program files\internet explorer\connection wizard\icwhelp.dll
2011-06-23 08:00:30 226816 ----a-w- c:\program files\windows media player\npdrmv2.dll
2011-06-23 08:00:29 10240 ----a-w- c:\program files\windows media player\npwmsdrm.dll
2011-06-23 07:58:19 53472 -c--a-w- c:\windows\system32\dllcache\wuauclt.exe
2011-06-23 07:58:19 1929952 -c--a-w- c:\windows\system32\dllcache\wuaueng.dll
2011-06-23 07:48:04 7046 ----a-r- c:\windows\SET9A.tmp
2011-06-23 07:48:02 13608 ----a-r- c:\windows\SET7C.tmp
2011-06-23 07:47:58 1086182 ----a-r- c:\windows\SET65.tmp
2011-06-23 07:37:10 -------- d-----w- C:\Recovery
2011-06-06 19:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 14:47:19 81920 ------w- c:\windows\system32\ieencode.dll
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 23:47:48.42 ===============
2. Note DDS is still running repetitively without operator initiation.
This one is weird. I've never seen a case with DDS running itself without a command. Are you sure it's DDS? Does it leave logs behind?
The questionable DDS runs to the end and gives the report that two log files have been created. Then when you click "OK", the logs files are not opened as they are with a normal DDS run.
Shall I remove DDS and see what happens?
Thanks,
Roger
Hi,
Yes delete DDS and then run ComboFix again. Post back its report.
I performed the following steps:
1. Deleted DDS.com
2. Initiated combofix
3. Got message from Microsoft security essentials – Microsoft security essentials detected items on your computer that may have not yet been classified for risk: File path: c:\32788R22FWJFW\iexplore.exe
4. Got message from combofix requesting tha I disable scanner: Microsoft Security Essentials
5. I uninstalled Microsoft Security Essentials
6. Initiated Combofix
7. Got DDS message during combofix. I used the task manager to determine the name of process: DDS.SCR.
8. Deleted all occurrences of dds.scr.
9. posted results (see attached)
Thanks soo much!!:thanks:
Hi,
Does DDS still pop up by itself? Any issues left?
Thanks Blade,
Everything seems to be fine. Yeah!
The only thing remaining is how to prevent re-infection. At the moment we only have spybot installed and without tea-timer. So if I can get some recommendations on free antivirus / antimalware programs that would be great. In the past I have used AGV for the antivirus, but the latest versions have become resource hungry on older machines. I have tried Avast on one of my friend’s computers. The performance improved and no infections yet.... Do you have a recommendation? What about anti-malware? Do you recommend installing tea-timer? Any other recommendations?
I can’t thank you enough for all or your help....
Regards,
Roger
:thanks:
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html)
Avast! (http://www.avast.com/eng/download-avast-home.html)
Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free (http://www.tallemu.com/free-firewall-protection-software.html) or Comodo Firewall Pro (http://www.personalfirewall.comodo.com/download_firewall.html#fw3.0) (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.