Antimalware Doctor + more

[bob200]

TeaTimer is not active, no.

The first several times I tried running ComboFix, I waited at least 5 minutes without anything happening before trying to run combofix again.

The last couple times today, I did not wait as long, maybe 1-2 minutes after the loading bar dissapeared.

Will try combofix again, and will wait the full 5 minutes again if needed.

Will post results.

 

[bob200]

Deleted the old copy of combofix.

downloaded a new copy from your link as BobCF.exe to C:\

There was no TeaTimer process running in my task manager. Ran BobCF.exe from normal mode.

ComboFix loading bar appeared, and loaded. Then dissapeared.

Nothing else happened. I waited a full 10 minutes this time without any activity. Tried running Combofix again, and it gave me the corrupted file message.

Should I wait longer? Should I try it in safe mode again?

Awaiting further instruction.

 

[bob200]

My eyes are bleeding, I need to get some sleep. Thank you for your help today, hopefully we can continue working on it tomorrow.

 

[Jack&Jill]

Hello bob200 ,

This is how we are going do it. I need you to rerun DDS and post back the new DDS.txt. After that, please do not shut down the computer or reboot. I will come back to you with the next step as soon as possible. If you can't get online in Normal Mode, you can do all the steps in Safe Mode, including the DDS rerun.

 

[bob200]

Well, some good news I suppose. My roommate found a windows XP CD and did a repair install of windows while I was out today.

My desktop is back, I'm online in normal mode, things look good.

I'm still concerned about the infections, especially the rootkit infection. So if it's ok, we could procede with rooting that out. Just wanted to let you know that windows was repaired and seems to be functioning in normal mode. Hopefully this will make it easier to fix the infections.

Will post the DDS logs you requested.

 

[bob200]

DDS (Ver_10-12-12.02) - NTFSx86
Run by Auser at 23:32:47.06 on Wed 01/05/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1497 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Auser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R3 CmtlPort;Comtrol Serial Port;c:\windows\system32\drivers\rp2cport.sys [2009-11-9 112128]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-2-23 209960]
R3 RcktPort;Comtrol RocketPort Infinity;c:\windows\system32\drivers\rp2.sys [2009-10-15 33792]
S0 cerc6;cerc6; [x]

=============== Created Last 30 ================

2011-01-05 21:33:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-05 21:33:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-05 21:10:34 -------- d-sh--w- c:\documents and settings\auser\IECompatCache
2011-01-05 21:10:23 -------- d-sh--w- c:\documents and settings\auser\PrivacIE
2011-01-05 21:08:50 -------- d-sh--w- c:\documents and settings\auser\IETldCache
2011-01-05 20:57:46 -------- d-----w- c:\windows\ie8updates
2011-01-05 20:57:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-05 20:57:43 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-05 20:57:43 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-05 20:57:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-05 20:57:43 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-05 20:57:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-05 20:57:43 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-05 20:56:53 -------- dc-h--w- c:\windows\ie8
2011-01-05 20:45:40 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-05 20:41:00 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-05 20:41:00 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-05 20:41:00 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-05 20:39:16 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-05 20:39:16 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-01-05 20:31:15 -------- d-----w- c:\docume~1\auser\applic~1\Malwarebytes
2011-01-05 20:31:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-05 20:31:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-05 20:31:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-05 20:31:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-05 20:30:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-01-05 20:28:52 -------- d-sh--w- c:\documents and settings\auser\UserData
2011-01-05 20:28:29 -------- d-----w- c:\windows\system32\PreInstall
2011-01-05 20:28:27 -------- d--h--w- c:\windows\$hf_mig$
2011-01-05 20:25:54 -------- d-----w- c:\docume~1\auser\locals~1\applic~1\Help
2011-01-05 20:21:08 -------- d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 05:05:35 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 23:33:06.64 ===============

 

[bob200]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/23/2010 11:05:48 AM
System Uptime: 1/5/2011 1:08:28 PM (10 hours ago)

Motherboard: Dell Inc. | | 0HN7XN
Processor: Intel Pentium III Xeon processor | CPU | 2693/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 141.901 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP9: 1/5/2011 1:28:26 PM - Software Distribution Service 3.0
RP10: 1/5/2011 1:38:35 PM - Software Distribution Service 3.0
RP11: 1/5/2011 1:50:47 PM - Software Distribution Service 3.0
RP12: 1/5/2011 2:10:04 PM - Installed Windows XP WgaNotify.
RP13: 1/5/2011 2:13:30 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Reader 8.1.0
Broadcom NetXtreme-I Netlink Driver and Management Installer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8

==== End Of File ===========================

 

[Jack&Jill]

Hello bob200 ,

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.

First step:

• Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
• For version 1.6, the steps are similar to either one of the below.
• If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
• If you have Version 1.4, click on Exit Spybot S&D Resident.

Second step, for either version:

• Open Spybot S&D.
• Click Mode, choose Advanced Mode.
• Go to the bottom of the vertical panel on the left, click Tools.
• Then, also in left panel, click on Resident that shows a red/white shield.
• If your firewall raises a question, say OK.
• In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
• OK any prompts.
• Exit Spybot S&D and reboot your machine for the changes to take effect.

Remember to enable it after the fix.

--------------------

Clear the way

• Please download Rkill© by Grinler from one of the links below and save it to your desktop.
  Link 1
  Link 2
  Link 3
  
  
• Allow the download if prompted by your security software.
• Double click on Rkill to run it.
• A command window will open, then disappear upon completion. If this does not happen, delete the file and download from the next link to try again until the tool runs.
• Do not reboot your computer until asked to do so. If no version of Rkill would run, please let me know.
• When finished, Notepad will open with a log called rkill.log.
• Please copy and paste the contents of that log in your next reply. It can also be found at C:\.
• Please leave Rkill on the desktop until otherwise advised.

--------------------

Delete the old ComboFix and download a fresh copy.

Link 1
Link 2

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script

• Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
• If you need help to disable your protection programs see here and here.
• Open Notepad. Copy and paste the following text into it:
  

  File::
  c:\windows\system32\scyiks.dll
  c:\windows\winamp.exe
  c:\windows\hexdump.exe
  c:\windows\spoolsv.exe
  c:\windows\taskmgr.exe
  c:\windows\system32\mh8v69.dll
  
  Folder::
  c:\docume~1\auser\applic~1\whitesmoketoolbar
  c:\program files\whitesmoketoolbar
  c:\docume~1\auser\applic~1\whitesmoketoolbar(2)
  c:\program files\whitesmoketoolbar(2)
  c:\docume~1\auser\applic~1\906E878B6DFFA6D3AC6CA83AC93BDF64
  c:\docume~1\auser\locals~1\applic~1\SanctionedMedia
  
  Driver::
  cerc6
  
  DirLook::
  c:\windows\system32\%APPDATA%
  c:\windows\system32\1039
  
  FileLook::
  c:\windows\system32\Guardian.exe
  c:\docume~1\alluse~1\applic~1\wKWswWK6.exe

• Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix may request an update, please allow it.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
• If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
• Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

Please post back:
1. the ComboFix log

 

[bob200]

I deactivated TeaTimer.

Ran rkill and combofix as instructed.

Reactivated TeaTimer after combofix was finished.

Here are the logs:

rkill:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/06/2011 at 0:24:58.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 01/06/2011 at 0:25:00.



ComboFix:

ComboFix 11-01-05.03 - Auser 01/06/2011 0:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.1682 [GMT -7:00]
Running from: c:\documents and settings\Auser\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Auser\Desktop\CFScript.txt

FILE ::
"c:\windows\hexdump.exe"
"c:\windows\spoolsv.exe"
"c:\windows\system32\mh8v69.dll"
"c:\windows\system32\scyiks.dll"
"c:\windows\taskmgr.exe"
"c:\windows\winamp.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cerc6


((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
.

2011-01-05 21:33 . 2011-01-05 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-05 21:33 . 2011-01-05 21:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-05 21:10 . 2011-01-05 21:10 -------- d-sh--w- c:\documents and settings\Auser\IECompatCache
2011-01-05 21:10 . 2011-01-05 21:10 -------- d-sh--w- c:\documents and settings\Auser\PrivacIE
2011-01-05 21:08 . 2011-01-05 21:08 -------- d-sh--w- c:\documents and settings\Auser\IETldCache
2011-01-05 20:58 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-01-05 20:57 . 2010-11-06 00:26 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-05 20:57 . 2010-11-06 00:26 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-05 20:57 . 2010-11-06 00:26 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-05 20:57 . 2010-11-06 00:26 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-05 20:57 . 2010-11-06 00:26 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-05 20:57 . 2010-11-06 00:26 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-05 20:57 . 2010-11-06 00:26 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-05 20:56 . 2011-01-05 20:57 -------- dc-h--w- c:\windows\ie8
2011-01-05 20:45 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-05 20:41 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-05 20:41 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-05 20:41 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-05 20:39 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-05 20:39 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-01-05 20:31 . 2011-01-05 20:31 -------- d-----w- c:\documents and settings\Auser\Application Data\Malwarebytes
2011-01-05 20:31 . 2011-01-05 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-05 20:31 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-05 20:31 . 2011-01-05 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-05 20:31 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-05 20:30 . 2010-08-13 12:53 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-01-05 20:28 . 2011-01-05 20:28 -------- d-sh--w- c:\documents and settings\Auser\UserData
2011-01-05 20:28 . 2011-01-05 21:06 -------- d--h--w- c:\windows\$hf_mig$
2011-01-05 20:25 . 2011-01-05 20:25 -------- d-----w- c:\documents and settings\Auser\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-02-23 18:01 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2008-04-14 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-04-14 07:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 05:05 . 2010-11-05 05:05 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:25 . 2008-04-14 07:00 385024 ------w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-04-14 07:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-04-14 07:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-04-14 07:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\%APPDATA% ----


---- Directory of c:\windows\system32\1039 ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-28 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-28 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-28 142872]
"RTHDCPL"="RTDCPL.EXE" [2009-08-26 2691072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R3 CmtlPort;Comtrol Serial Port;c:\windows\system32\drivers\rp2cport.sys [11/9/2009 8:19 AM 112128]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2/23/2010 12:28 PM 209960]
R3 RcktPort;Comtrol RocketPort Infinity;c:\windows\system32\drivers\rp2.sys [10/15/2009 12:43 PM 33792]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-06 00:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3224)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-01-06 00:31:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-06 07:31

Pre-Run: 152,308,527,104 bytes free
Post-Run: 152,326,246,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A29744A65D6409645D0C57BFC6297294

 

[Jack&Jill]

Hello bob200 ,

Looks like the repair install really helped. Lets do a few more scans to see if you are really clean.

I want you to update MBAM and run a scan.

• Open MBAM and click on the Update tab, then Check for Updates.
• When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
• Leave the default options as it is and click on Start Scan.
• If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
• When done, you will be prompted. Click OK, then click on Show Results.
• Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
• After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Rerun Rootkit Unhooker

• Double click RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Ensure the following are checked (ticked):
  • Drivers
  • Stealth Code
  • Files
  • Code Hooks
• Uncheck the rest, then click OK. An initial scan will be performed.
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
• Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
• Save the report somewhere you can find it. Click Close to exit.
• Copy the entire contents of the report and paste it in your next reply.

You may get a warning about parasite detection. Please click OK to continue.

--------------------

Please post back:
1. MBAM report
2. Rootkit Unhooker log

 

[bob200]

I didn't turn off TeaTimer before doing these scans, not sure if I was supposed to or not.


MBAM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5468

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/6/2011 1:52:43 AM
mbam-log-2011-01-06 (01-52-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 144809
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



___________________

RKU

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB971D000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 6320128 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA84CA000 C:\WINDOWS\system32\drivers\RtDHDAud.sys 6070272 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xBF322000 C:\WINDOWS\System32\igxpdx32.DLL 3518464 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xBF05E000 C:\WINDOWS\System32\igxpdv32.DLL 2899968 bytes (Intel Corporation, Component GHAL Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB9D24000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0xA81F7000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB955C000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA832A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA799E000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xA77CD000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 237568 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB9695000 C:\WINDOWS\system32\DRIVERS\k57xp32.sys 217088 bytes (Broadcom Corporation, Broadcom NetLink (TM) Gigabit Ethernet NDIS5.1 Driver.)
0xB95E2000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA7A6D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA6C85000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA828F000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB96CA000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA8302000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA82DC000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA84A6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9671000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB963A000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA82BA000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9515000 C:\WINDOWS\system32\DRIVERS\rp2cport.sys 126976 bytes (Comtrol Corporation, Serial Port Device Driver)
0xB9DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA81DF000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9623000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7E5A000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB965D000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB96F2000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8383000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9612000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA2B8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA248000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA7FAF000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA218000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA188000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA178000 C:\WINDOWS\system32\DRIVERS\rp2.sys 49152 bytes (Comtrol Corporation, Multiport Serial Device Driver)
0xBA298000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA228000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA208000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA168000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA278000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA7AF2000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA390000 C:\ComboFix\catchme.sys 32768 bytes
0xBA400000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA398000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA3F0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3F8000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA410000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA8402000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA56C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9554000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA54C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xA83FA000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB9DAD000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA83FE000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA554000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB9550000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA544000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA5C2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5C8000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5C0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5C4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5E2000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA5DE000 C:\WINDOWS\system32\Drivers\PROCEXP113.SYS 8192 bytes
0xBA5C6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5BA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA743000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA70A000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6D1000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\Qoobox\BackEnv\AppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cache.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Cookies.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Desktop.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Favorites.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\History.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalAppData.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\LocalSettings.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Music.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\NetHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Personal.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Pictures.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\PrintHood.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Programs.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\Recent.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SendTo.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SetPath.bat
!-->[Hidden] C:\Qoobox\BackEnv\StartMenu.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\StartUp.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\SysPath.dat
!-->[Hidden] C:\Qoobox\BackEnv\Templates.folder.dat
!-->[Hidden] C:\Qoobox\BackEnv\VikPev00
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]
[2836]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2836]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[2836]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[2836]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[2836]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2836]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[2836]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[2836]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[2836]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[2836]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[2836]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[2836]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[2836]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[2836]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [aclayers.dll]
[2836]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [aclayers.dll]
[2836]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2836]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[2836]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[2836]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[2836]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[2836]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2836]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]
[2836]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[2836]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[2836]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]
[2836]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]
[2836]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[2836]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->00000000 [aclayers.dll]
[2836]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->00000000 [aclayers.dll]
[2836]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->00000000 [aclayers.dll]
[2836]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2836]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->00000000 [aclayers.dll]
[2876]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[2876]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[2876]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[2876]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[2876]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[2876]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[2876]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[2876]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[2876]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[2876]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[2876]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[2876]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[2876]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->00000000 [shimeng.dll]
[2876]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->00000000 [aclayers.dll]
[2876]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->00000000 [aclayers.dll]
[2876]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[2876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[2876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[2876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[2876]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[2876]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E42B3C6-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[2876]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->00000000 [aclayers.dll]
[2876]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[2876]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[2876]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00000000 [ieframe.dll]
[2876]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00000000 [ieframe.dll]
[2876]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[2876]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->00000000 [aclayers.dll]
[2876]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->00000000 [aclayers.dll]
[2876]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->00000000 [aclayers.dll]
[2876]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]
[2876]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->00000000 [aclayers.dll]
[3224]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3224]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3224]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[3224]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3224]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3224]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]
[3224]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]

 

[Jack&Jill]

Hello bob200 ,

I didn't turn off TeaTimer before doing these scans, not sure if I was supposed to or not.

You should turn it off. Sorry for not being clear about it. In fact, please keep it so until we are done. Since the computer is running better now, we should get you an Antivirus (AV) program.

I do not see any Antivirus (AV) installed on your machine. AV is a very critical part of your system to keep the it safe and clean. Without it, a computer can easily get infected. Please download and install an AV from one of the links below:

Avast
Avira
Microsoft Security Essentials

You should only select one of these three, and keep only one installed.

--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

• Click here to go to ESET Online Scanner page.
• Click on ESET Online Scanner. A new window will open.
  For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
• After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
• You will be prompted to install an ActiveX Control from ESET. Please install.
• At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
• Now, click on Advanced settings and make sure all these are checked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Click on Scan to proceed.
• When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
• Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. the ESET online scan result

 

[bob200]

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=8ecd5cb115484c4eba6ffa52b4f2302e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-01-06 01:18:39
# local_time=2011-01-06 06:18:39 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=28071
# found=0
# cleaned=0
# scan_time=429

 

[bob200]

I gotta run for a bit, I'll be back on later.

I downloaded Microsoft Security Essentials, going to install that before I log off.

 

[Jack&Jill]

Hello bob200 ,

Everything is looking good. Are there any more problems?

After you installed Microsoft Security Essentials, update it and run a scan.

Please run DDS and post back a new log.

 

[bob200]

Everything looks good so far. Just ran a MSE scan, didn't find anything.

Will post DDS logs

 

[bob200]

DDS (Ver_10-12-12.02) - NTFSx86
Run by Auser at 23:36:06.75 on Thu 01/06/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2012.920 [GMT -7:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTDCPL.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Dell\Printer Software\ErrorApp\DKab1err.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\WINDOWS\system32\DKabcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\All Users\Application Data\CA-SupportBridge\Controller.exe
C:\Documents and Settings\All Users\Application Data\CA-SupportBridge\Customer.exe
C:\Documents and Settings\All Users\Application Data\CA-SupportBridge\Controller.exe
C:\Documents and Settings\All Users\Application Data\CA-SupportBridge\Customer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Guardian.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Auser\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DKab1err] c:\program files\dell\printer software\errorapp\DKab1err.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\auser\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 dkab_device;dkab_device;c:\windows\system32\dkabcoms.exe -service --> c:\windows\system32\DKabcoms.exe -service [?]
R2 TheGuardianService;TheGuardian;c:\windows\system32\Guardian.exe [2011-1-6 57344]
R3 CmtlPort;Comtrol Serial Port;c:\windows\system32\drivers\rp2cport.sys [2009-11-9 112128]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2010-2-23 209960]
R3 RcktPort;Comtrol RocketPort Infinity;c:\windows\system32\drivers\rp2.sys [2009-10-15 33792]

=============== Created Last 30 ================

2011-01-07 06:17:16 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-01-07 06:17:11 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{8eab2cdf-8393-4d70-b669-d20942f4c97f}\mpengine.dll
2011-01-07 00:14:21 57344 ----a-w- c:\windows\system32\Guardian.exe
2011-01-07 00:14:21 31744 ----a-w- c:\windows\system32\grant.exe
2011-01-07 00:14:21 13856 ----a-w- c:\windows\system32\gbmail.exe
2011-01-07 00:14:10 -------- d-----w- C:\JEDI
2011-01-07 00:14:00 28432 ----a-w- c:\windows\system32\sleep.exe
2011-01-07 00:09:16 2401836 ----a-w- c:\temp\JEDI2.6.20.EXE
2011-01-06 18:39:53 28672 ----a-w- c:\temp\AutoPrint.exe
2011-01-06 18:34:23 17424760 ----a-w- c:\temp\R202136.exe
2011-01-06 18:14:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2011-01-06 16:13:16 -------- d-----w- c:\docume~1\auser\applic~1\OpenOffice.org
2011-01-06 16:12:12 -------- d-----w- c:\program files\JRE
2011-01-06 16:12:07 -------- d-----w- c:\program files\OpenOffice.org 3
2011-01-06 16:11:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-06 16:11:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-06 15:27:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-01-06 15:27:17 215920 ----a-w- c:\windows\system32\muweb.dll
2011-01-06 15:27:17 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-01-06 13:49:47 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-06 13:42:44 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-06 07:27:35 -------- d-sha-r- C:\cmdcons
2011-01-06 07:26:34 98816 ----a-w- c:\windows\sed.exe
2011-01-06 07:26:34 89088 ----a-w- c:\windows\MBR.exe
2011-01-06 07:26:34 256512 ----a-w- c:\windows\PEV.exe
2011-01-06 07:26:34 161792 ----a-w- c:\windows\SWREG.exe
2011-01-05 21:33:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-05 21:33:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-05 21:10:34 -------- d-sh--w- c:\documents and settings\auser\IECompatCache
2011-01-05 21:10:23 -------- d-sh--w- c:\documents and settings\auser\PrivacIE
2011-01-05 21:08:50 -------- d-sh--w- c:\documents and settings\auser\IETldCache
2011-01-05 20:57:46 -------- d-----w- c:\windows\ie8updates
2011-01-05 20:57:43 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-05 20:57:43 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-01-05 20:57:43 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-01-05 20:57:43 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-01-05 20:57:43 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-01-05 20:57:43 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-01-05 20:57:43 11080704 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-01-05 20:56:53 -------- dc-h--w- c:\windows\ie8
2011-01-05 20:45:40 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-05 20:41:00 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-05 20:41:00 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-05 20:41:00 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-05 20:39:16 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-05 20:39:16 272128 ------w- c:\windows\system32\drivers\bthport.sys
2011-01-05 20:31:15 -------- d-----w- c:\docume~1\auser\applic~1\Malwarebytes
2011-01-05 20:31:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-05 20:31:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-05 20:31:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-05 20:31:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-05 20:30:27 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-01-05 20:28:52 -------- d-sh--w- c:\documents and settings\auser\UserData
2011-01-05 20:28:29 -------- d-----w- c:\windows\system32\PreInstall
2011-01-05 20:28:27 -------- d--h--w- c:\windows\$hf_mig$
2011-01-05 20:25:54 -------- d-----w- c:\docume~1\auser\locals~1\applic~1\Help
2011-01-05 20:21:08 -------- d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-05 05:05:35 81920 ------w- c:\windows\system32\ieencode.dll
2010-11-03 12:25:54 385024 ------w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 23:36:33.12 ===============

 

[bob200]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/23/2010 11:05:48 AM
System Uptime: 1/6/2011 10:26:19 AM (13 hours ago)

Motherboard: Dell Inc. | | 0HN7XN
Processor: Intel Pentium III Xeon processor | CPU | 2693/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 140.597 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP9: 1/5/2011 1:28:26 PM - Software Distribution Service 3.0
RP10: 1/5/2011 1:38:35 PM - Software Distribution Service 3.0
RP11: 1/5/2011 1:50:47 PM - Software Distribution Service 3.0
RP12: 1/5/2011 2:10:04 PM - Installed Windows XP WgaNotify.
RP13: 1/5/2011 2:13:30 PM - Software Distribution Service 3.0
RP14: 1/6/2011 6:49:47 AM - Software Distribution Service 3.0
RP15: 1/6/2011 8:37:56 AM - Software Distribution Service 3.0
RP16: 1/6/2011 9:11:39 AM - Installed Java(TM) 6 Update 20
RP17: 1/6/2011 9:12:04 AM - Installed OpenOffice.org 3.2
RP18: 1/6/2011 9:30:17 AM - Installed Java(TM) 6 Update 23
RP19: 1/6/2011 11:17:09 PM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
Broadcom NetXtreme-I Netlink Driver and Management Installer
Dell Printer Software Uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Security Client
Microsoft Security Essentials
OpenOffice.org 3.2
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Spybot - Search & Destroy
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8

==== End Of File ===========================

 

[bob200]

I'm noticing something called MsMpEng.exe running in my task manager thats taking up a lot of CPU.

Google searching suggests it's not malicious, but I'd still like to know why it'as there all a sudden. Could it be associated with MSE?

 

[Jack&Jill]

Hello bob200 ,

I'm noticing something called MsMpEng.exe running in my task manager thats taking up a lot of CPU.

Yes, it is related to MSE.

--------------------

Your Adobe Reader is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Adobe Reader to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Adobe Reader 8.1.0

• Go to the Adobe download page. Click here.
• If your OS is not the same as stated, click on Different language or operating system? link.
  • Under the Select an operating system title, click on Select an OS... box and choose the OS that you have.
  • Change the language if you want by clicking on English below the Select a language title.
  • Press Continue.
  • Uncheck (untick) Free McAfee Security Scan (optional).
  • Click the Download now button after selecting the latest version.
  • Allow if prompted and save the file to a convenient location.
  • Run the downloaded file to continue with the installation.
• If your OS is the same, uncheck (untick) Free McAfee Security Scan (optional).
• Click Download to proceed. Allow if prompted and save the file to a convenient location.
• Run the downloaded file to continue with the installation.

--------------------

Congratulations, you are All Clear to go. Glad to hear everything is good and running . If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.

• Go to Start > Run.... Copy and paste the following text into the white box:
  ComboFix /uninstall
  Click OK.
• Delete the SystemLook, Rootkit Unhooker, TDSSKiller and RKill files on your desktop.
• Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows XP to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials, Avast and Avira are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 and Kaspersky are some good options. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with Panda USB Vaccine, an effective method to prevent malware from spreading.

8. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

9. Install a third party firewall if you do not have one for additional defense against internet dangers. Built-in Windows firewall can only keep nasties from breaking in, but unable to protect against any malwares from sending information out. Some recommended firewalls are Online Armor, Outpost and PC Tools. More information on firewalls. Please keep only one FW installed.

10. If you have been a victim of malware before, Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

11. Also look up:
Computer Security - a short guide to staying safer online By Gary R and Wingman
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.