Page 6 of 8 FirstFirst ... 2345678 LastLast
Results 51 to 60 of 80

Thread: Numerous Issues Found, Can't Run Spybot or Install Latest HijackThis

  1. #51
    Member
    Join Date
    Apr 2010
    Posts
    45

    Default

    I think I need to correct my previously posted GMER log. I ran that literally in safe mode, without networking. It occurred to me last night that all my problems seem to show them self when networking is part of the picture, so I kicked it off again before going to bed. Well, it's still running (around 8 hours later), but I saved a pre-scan log that indicated that said something about device atapi have a "suspicious configuration." Or something like that.

    I don't want to do anything that might risk the scan crashing, so I can't attach that file at the moment. (Writing this from another machine.) What's currently showing in the scan window for that device is:

    Device -> \Driver\atapi\Device\Harddisk0\DR0 892A6AC8

    There are more things listed, I hope to be able to post that soon.

  2. #52
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    OK, lets wait for the full report
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #53
    Member
    Join Date
    Apr 2010
    Posts
    45

    Default

    Wow, that was a scan for the record books. After the better part of a day, here's the result.

    GMER Log:
    ---

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-19 00:27:30
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\Brian\LOCALS~1\Temp\ufddaaog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\System32\DRIVERS\RDPCDD.sys entry point in ".rsrc" section [0xF79ADC14]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A
    .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A
    .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C
    .text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0261000A
    .text C:\WINDOWS\system32\svchost.exe[884] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0260000A
    .text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
    .text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A
    .text C:\WINDOWS\Explorer.EXE[1668] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \Fat B93B7D20
    Device -> \Driver\atapi \Device\Harddisk0\DR0 892A6AC8

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\System32\DRIVERS\RDPCDD.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

  4. #54
    Member
    Join Date
    Apr 2010
    Posts
    45

    Default

    Also, here's the hs_err... log I mentioned before. (The one with the Java error.)

    hs_err_pid318784.log contents:
    ----
    #
    # An unexpected error has been detected by Java Runtime Environment:
    #
    # EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0313cc47, pid=318784, tid=312032
    #
    # Java VM: Java HotSpot(TM) Client VM (11.3-b02 mixed mode, sharing windows-x86)
    # Problematic frame:
    # C 0x0313cc47
    #
    # If you would like to submit a bug report, please visit:
    # http://java.sun.com/webapps/bugreport/crash.jsp
    # The crash happened outside the Java Virtual Machine in native code.
    # See problematic frame for where to report the bug.
    #

    --------------- T H R E A D ---------------

    Current thread (0x03194800): JavaThread "thread applet-Uutecwv-1" [_thread_in_native, id=312032, stack(0x04060000,0x040b0000)]

    siginfo: ExceptionCode=0xc0000005, reading address 0xfffffff1

    Registers:
    EAX=0xffffffff, EBX=0x26c5e220, ECX=0x031f9600, EDX=0x00000000
    ESP=0x040aeaa0, EBP=0x255a255a, ESI=0x26c5e220, EDI=0x03194800
    EIP=0x0313cc47, EFLAGS=0x00210202

    Top of Stack: (sp=0x040aeaa0)
    0x040aeaa0: 0313cc44 0313cc5c 040aeaa8 26c5e220
    0x040aeab0: 040aeadc 26c5e8e8 00000000 26c5e220
    0x040aeac0: 00000000 040aead8 040aeb04 00c52e83
    0x040aead0: 00000000 00c58189 22a90d20 22a9d830
    0x040aeae0: 22a9d830 040aeae4 26c5e17f 040aeb14
    0x040aeaf0: 26c5e8e8 00000000 26c5e1a0 040aead8
    0x040aeb00: 040aeb10 040aeb38 00c52da1 22a9ed58
    0x040aeb10: 22a90d20 22a9d830 040aeb18 26c5d729

    Instructions: (pc=0x0313cc47)
    0x0313cc37: 2b 48 66 1a 2b 20 e2 c5 26 68 8d 19 2b 48 0a 19
    0x0313cc47: 2b 68 f2 a9 22 08 73 78 2b b0 ac 19 2b 68 8d 19


    Stack: [0x04060000,0x040b0000], sp=0x040aeaa0, free space=314k
    Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
    C 0x0313cc47

    Java frames: (J=compiled Java code, j=interpreted, Vv=VM code)
    j com.sun.media.sound.HeadspaceSoundbank.nOpenResource(Ljava/lang/StringJ+0
    j com.sun.media.sound.HeadspaceSoundbank.initialize(Ljava/lang/StringV+7
    j com.sun.media.sound.HeadspaceSoundbank.<init>(Ljava/net/URLV+89
    j com.sun.media.sound.HsbParser.getSoundbank(Ljava/net/URLLjavax/sound/midi/Soundbank;+5
    j javax.sound.midi.MidiSystem.getSoundbank(Ljava/net/URLLjavax/sound/midi/Soundbank;+36
    j Uutecwv.init()V+7340
    j sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run()V+837
    j java.lang.Thread.run()V+11
    v ~StubRoutines::call_stub

    --------------- P R O C E S S ---------------

    Java Threads: ( => current thread )
    0x03194c00 JavaThread "Timer-2" [_thread_blocked, id=317512, stack(0x04010000,0x04060000)]
    0x032b3800 JavaThread "Java Sound Event Dispatcher" daemon [_thread_blocked, id=314936, stack(0x04200000,0x04250000)]
    0x03198000 JavaThread "D3D Screen Updater" daemon [_thread_blocked, id=182588, stack(0x041b0000,0x04200000)]
    =>0x03194800 JavaThread "thread applet-Uutecwv-1" [_thread_in_native, id=312032, stack(0x04060000,0x040b0000)]
    0x0315e800 JavaThread "Browser Side Object Cleanup Thread" [_thread_blocked, id=316624, stack(0x03f70000,0x03fc0000)]
    0x03150c00 JavaThread "Windows Tray Icon Thread" [_thread_in_native, id=319440, stack(0x037d0000,0x03820000)]
    0x0314fc00 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=314668, stack(0x03780000,0x037d0000)]
    0x03162800 JavaThread "CacheMemoryCleanUpThread" daemon [_thread_blocked, id=315808, stack(0x03730000,0x03780000)]
    0x03129c00 JavaThread "Java Plug-In Heartbeat Thread" [_thread_blocked, id=318436, stack(0x036e0000,0x03730000)]
    0x02e8e000 JavaThread "AWT-Windows" daemon [_thread_in_native, id=319080, stack(0x03590000,0x035e0000)]
    0x02e42000 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=318892, stack(0x034f0000,0x03540000)]
    0x02e40800 JavaThread "Java Plug-In Pipe Worker Thread (Client-Side)" daemon [_thread_in_native, id=319352, stack(0x03450000,0x034a0000)]
    0x03134800 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=316876, stack(0x03370000,0x033c0000)]
    0x02e88000 JavaThread "Timer-0" [_thread_blocked, id=317624, stack(0x03320000,0x03370000)]
    0x02dc1c00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=315604, stack(0x03070000,0x030c0000)]
    0x02dbbc00 JavaThread "CompilerThread0" daemon [_thread_blocked, id=316188, stack(0x03020000,0x03070000)]
    0x02dba400 JavaThread "Attach Listener" daemon [_thread_blocked, id=318176, stack(0x02fd0000,0x03020000)]
    0x02db9000 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=317852, stack(0x02f80000,0x02fd0000)]
    0x02db0c00 JavaThread "Finalizer" daemon [_thread_blocked, id=313936, stack(0x02f30000,0x02f80000)]
    0x02daf800 JavaThread "Reference Handler" daemon [_thread_blocked, id=318420, stack(0x02ee0000,0x02f30000)]
    0x002e7000 JavaThread "main" [_thread_in_native, id=316392, stack(0x00bd0000,0x00c20000)]

    Other Threads:
    0x02dadc00 VMThread [stack: 0x02e90000,0x02ee0000] [id=316716]
    0x02dcc800 WatcherThread [stack: 0x030c0000,0x03110000] [id=317548]

    VM state:not at safepoint (normal execution)

    VM Mutex/Monitor currently owned by a thread: None

    Heap
    def new generation total 4544K, used 1709K [0x22990000, 0x22e70000, 0x22e70000)
    eden space 4096K, 41% used [0x22990000, 0x22b3b578, 0x22d90000)
    from space 448K, 0% used [0x22d90000, 0x22d90240, 0x22e00000)
    to space 448K, 0% used [0x22e00000, 0x22e00000, 0x22e70000)
    tenured generation total 60544K, used 51259K [0x22e70000, 0x26990000, 0x26990000)
    the space 60544K, 84% used [0x22e70000, 0x2607eda8, 0x2607ee00, 0x26990000)
    compacting perm gen total 12288K, used 2994K [0x26990000, 0x27590000, 0x2a990000)
    the space 12288K, 24% used [0x26990000, 0x26c7c908, 0x26c7ca00, 0x27590000)
    ro space 8192K, 63% used [0x2a990000, 0x2aea8810, 0x2aea8a00, 0x2b190000)
    rw space 12288K, 53% used [0x2b190000, 0x2b7fd300, 0x2b7fd400, 0x2bd90000)

    Dynamic libraries:
    0x00400000 - 0x00424000 C:\Program Files\Java\jre6\bin\java.exe
    0x7c900000 - 0x7c9b2000 C:\WINDOWS\system32\ntdll.dll
    0x7c800000 - 0x7c8f6000 C:\WINDOWS\system32\kernel32.dll
    0x77dd0000 - 0x77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
    0x77e70000 - 0x77f02000 C:\WINDOWS\system32\RPCRT4.dll
    0x77fe0000 - 0x77ff1000 C:\WINDOWS\system32\Secur32.dll
    0x5cb70000 - 0x5cb96000 C:\WINDOWS\system32\ShimEng.dll
    0x71590000 - 0x71609000 C:\WINDOWS\AppPatch\AcLayers.DLL
    0x7e410000 - 0x7e4a1000 C:\WINDOWS\system32\USER32.dll
    0x77f10000 - 0x77f59000 C:\WINDOWS\system32\GDI32.dll
    0x7c9c0000 - 0x7d1d7000 C:\WINDOWS\system32\SHELL32.dll
    0x77c10000 - 0x77c68000 C:\WINDOWS\system32\msvcrt.dll
    0x77f60000 - 0x77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
    0x774e0000 - 0x7761d000 C:\WINDOWS\system32\ole32.dll
    0x769c0000 - 0x76a74000 C:\WINDOWS\system32\USERENV.dll
    0x73000000 - 0x73026000 C:\WINDOWS\system32\WINSPOOL.DRV
    0x76390000 - 0x763ad000 C:\WINDOWS\system32\IMM32.DLL
    0x773d0000 - 0x774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
    0x009b0000 - 0x009cb000 C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll
    0x76c90000 - 0x76cb8000 C:\WINDOWS\system32\imagehlp.dll
    0x3d930000 - 0x3da01000 C:\WINDOWS\system32\WININET.dll
    0x009e0000 - 0x009e9000 C:\WINDOWS\system32\Normaliz.dll
    0x3dfd0000 - 0x3e015000 C:\WINDOWS\system32\iertutil.dll
    0x7c340000 - 0x7c396000 C:\Program Files\Java\jre6\bin\msvcr71.dll
    0x6d800000 - 0x6da56000 C:\Program Files\Java\jre6\bin\client\jvm.dll
    0x76b40000 - 0x76b6d000 C:\WINDOWS\system32\WINMM.dll
    0x6d290000 - 0x6d298000 C:\Program Files\Java\jre6\bin\hpi.dll
    0x76bf0000 - 0x76bfb000 C:\WINDOWS\system32\PSAPI.DLL
    0x6d7b0000 - 0x6d7bc000 C:\Program Files\Java\jre6\bin\verify.dll
    0x6d330000 - 0x6d34f000 C:\Program Files\Java\jre6\bin\java.dll
    0x6d7f0000 - 0x6d7ff000 C:\Program Files\Java\jre6\bin\zip.dll
    0x6d430000 - 0x6d436000 C:\Program Files\Java\jre6\bin\jp2native.dll
    0x6d1d0000 - 0x6d1e3000 C:\Program Files\Java\jre6\bin\deploy.dll
    0x77a80000 - 0x77b15000 C:\WINDOWS\system32\CRYPT32.dll
    0x77b20000 - 0x77b32000 C:\WINDOWS\system32\MSASN1.dll
    0x77120000 - 0x771ab000 C:\WINDOWS\system32\OLEAUT32.dll
    0x78130000 - 0x78258000 C:\WINDOWS\system32\urlmon.dll
    0x6d6b0000 - 0x6d6f2000 C:\Program Files\Java\jre6\bin\regutils.dll
    0x77c00000 - 0x77c08000 C:\WINDOWS\system32\VERSION.dll
    0x7d1e0000 - 0x7d49c000 C:\WINDOWS\system32\msi.dll
    0x6d610000 - 0x6d623000 C:\Program Files\Java\jre6\bin\net.dll
    0x71ab0000 - 0x71ac7000 C:\WINDOWS\system32\WS2_32.dll
    0x71aa0000 - 0x71aa8000 C:\WINDOWS\system32\WS2HELP.dll
    0x6d630000 - 0x6d639000 C:\Program Files\Java\jre6\bin\nio.dll
    0x6d000000 - 0x6d14a000 C:\Program Files\Java\jre6\bin\awt.dll
    0x5ad70000 - 0x5ada8000 C:\WINDOWS\system32\uxtheme.dll
    0x74720000 - 0x7476c000 C:\WINDOWS\system32\MSCTF.dll
    0x77b40000 - 0x77b62000 C:\WINDOWS\system32\apphelp.dll
    0x755c0000 - 0x755ee000 C:\WINDOWS\system32\msctfime.ime
    0x6d230000 - 0x6d284000 C:\Program Files\Java\jre6\bin\fontmanager.dll
    0x4fdd0000 - 0x4ff76000 C:\WINDOWS\system32\d3d9.dll
    0x03820000 - 0x03826000 C:\WINDOWS\system32\d3d8thk.dll
    0x71a50000 - 0x71a8f000 C:\WINDOWS\System32\mswsock.dll
    0x76f20000 - 0x76f47000 C:\WINDOWS\system32\DNSAPI.dll
    0x76fb0000 - 0x76fb8000 C:\WINDOWS\System32\winrnr.dll
    0x76f60000 - 0x76f8c000 C:\WINDOWS\system32\WLDAP32.dll
    0x10000000 - 0x10013000 C:\WINDOWS\system32\VNsp.dll
    0x76fc0000 - 0x76fc6000 C:\WINDOWS\system32\rasadhlp.dll
    0x04700000 - 0x0471d000 C:\WINDOWS\system32\VLsp.dll
    0x662b0000 - 0x66308000 C:\WINDOWS\system32\hnetcfg.dll
    0x71a90000 - 0x71a98000 C:\WINDOWS\System32\wshtcpip.dll
    0x68000000 - 0x68036000 C:\WINDOWS\system32\rsaenh.dll
    0x5b860000 - 0x5b8b5000 C:\WINDOWS\system32\netapi32.dll
    0x6d1a0000 - 0x6d1c3000 C:\Program Files\Java\jre6\bin\dcpr.dll
    0x6d520000 - 0x6d544000 C:\Program Files\Java\jre6\bin\jsound.dll
    0x6d550000 - 0x6d558000 C:\Program Files\Java\jre6\bin\jsoundds.dll
    0x73f10000 - 0x73f6c000 C:\WINDOWS\system32\DSOUND.dll
    0x76c30000 - 0x76c5e000 C:\WINDOWS\system32\WINTRUST.dll
    0x72d20000 - 0x72d29000 C:\WINDOWS\system32\wdmaud.drv
    0x72d10000 - 0x72d18000 C:\WINDOWS\system32\msacm32.drv
    0x77be0000 - 0x77bf5000 C:\WINDOWS\system32\MSACM32.dll
    0x77bd0000 - 0x77bd7000 C:\WINDOWS\system32\midimap.dll
    0x76ee0000 - 0x76f1c000 C:\WINDOWS\system32\RASAPI32.dll
    0x76e90000 - 0x76ea2000 C:\WINDOWS\system32\rasman.dll
    0x76eb0000 - 0x76edf000 C:\WINDOWS\system32\TAPI32.dll
    0x76e80000 - 0x76e8e000 C:\WINDOWS\system32\rtutils.dll
    0x77c70000 - 0x77c95000 C:\WINDOWS\system32\msv1_0.dll
    0x76790000 - 0x7679c000 C:\WINDOWS\system32\cryptdll.dll
    0x76d60000 - 0x76d79000 C:\WINDOWS\system32\iphlpapi.dll
    0x722b0000 - 0x722b5000 C:\WINDOWS\system32\sensapi.dll

    VM Arguments:
    jvm_args: -D__jvm_launched=661128458268 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar
    java_command: sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid317616_pipe4,read_pipe_name=jpi2_pid317616_pipe3
    Launcher Type: SUN_STANDARD

    Environment Variables:
    PATH=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\PROGRA~1\IBM\SQLLIB\BIN;C:\PROGRA~1\IBM\SQLLIB\FUNCTION;C:\PROGRA~1\IBM\SQLLIB\SAMPLES\REPL;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
    USERNAME=Brian
    OS=Windows_NT
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel



    --------------- S Y S T E M ---------------

    OS: Windows XP Build 2600 Service Pack 3

    CPU:total 2 (2 cores per cpu, 1 threads per core) family 6 model 14 stepping 8, cmov, cx8, fxsr, mmx, sse, sse2, sse3

    Memory: 4k page, physical 2095224k(653028k free), swap 4033408k(2281804k free)

    vm_info: Java HotSpot(TM) Client VM (11.3-b02) for windows-x86 JRE (1.6.0_13-b03), built on Mar 9 2009 01:15:24 by "java_re" with MS VC++ 7.1

    time: Fri Apr 09 04:11:34 2010
    elapsed time: 17 seconds

  5. #55
    Member
    Join Date
    Apr 2010
    Posts
    45

    Default

    And here's the SystemLook output:
    ----
    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 01:14 on 19/04/2010 by Brian (Administrator - Elevation successful)

    ========== reg ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe""
    "Creative Detector"=""C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R"
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe"
    "DellSupport"=""C:\Program Files\DellSupport\DSAgnt.exe" /startup"
    "DellSupportCenter"=""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter"
    "Google Update"=""C:\Documents and Settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c"
    "ISUSPM"=""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler"
    "Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe"
    "OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart"
    "SetDefaultMIDI"="MIDIDef.exe"
    "SlickRun"=""C:\Program Files\SlickRun\sr.exe""
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r"
    "CXMon"=""C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe""
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe"
    "DellSupportCenter"=""C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter"
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe"
    "dscactivate"=""C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe""
    "eBook Library Launcher"="C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe"
    "eFax 4.3"=""C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R"
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    "ISUSPM Startup"=""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup"
    "ISUSScheduler"=""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start"
    "jusanifowi"="Rundll32.exe "fimuwaho.dll",s"
    "LogitechCommunicationsManager"=""C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe""
    "LogitechQuickCamRibbon"=""C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide"
    "MBMon"="Rundll32 CTMBHA.DLL,MBMon"
    "mcagent_exe"=""C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey"
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
    "NvCplDaemon"="RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup"
    "NVHotkey"="rundll32.exe nvHotkey.dll,Start"
    "nwiz"="nwiz.exe /installquiet"
    "OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
    "RoxWatchTray"=""C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe""
    "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe"
    "SigmatelSysTrayApp"="stsystra.exe"
    "SunJavaUpdateSched"=""C:\Program Files\Common Files\Java\Java Update\jusched.exe""
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    "UpdReg"="C:\WINDOWS\UpdReg.EXE"
    "VoiceCenter"=""C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray"
    "WTClient"="WTClient.exe"
    "wubazevon"="Rundll32.exe "c:\windows\system32\gobiheyi.dll",a"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


    -=End Of File=-

  6. #56
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,

    Looks like your hard work has paid off, the GMER scan is showing that your infected with the latest version of the TDSS Rootkit. This is whats causing you all your grief.

    You have Combofix on your desktop, drag it to the trash and download a fresh copy to your desktop < Important But don't run it yet


    Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2







    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    It would be to your benefit to install the Recovery Console in case its needed





    Next, do this


    Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above TDL::


    Code:
    TDL::
    C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #57
    Member
    Join Date
    Apr 2010
    Posts
    45

    Default

    I've never been so relieved to be told I have a computer virus.

    Here's the ComboFix log (yeah, I saved it as "Combarino-Feex" LOL):
    ---
    ComboFix 10-04-18.04 - Brian 04/19/2010 12:29:42.4.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1692 [GMT -4:00]
    Running from: c:\documents and settings\Brian\Desktop\Combarino-Feex.exe
    Command switches used :: c:\documents and settings\Brian\Desktop\CFScript.txt
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\System32\DRIVERS\RDPCDD.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    Infected copy of c:\windows\system32\DRIVERS\RDPCDD.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    Infected copy of c:\windows\System32\DRIVERS\RDPCDD.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    Infected copy of c:\windows\system32\DRIVERS\RDPCDD.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
    .

    2010-04-15 17:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
    2010-04-15 17:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
    2010-04-12 02:44 . 2010-04-12 02:44 -------- d-----w- c:\program files\Trend Micro
    2010-04-12 02:38 . 2010-04-12 02:38 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-04-11 17:56 . 2010-04-11 17:56 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-04-11 17:54 . 2010-04-14 23:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-11 06:34 . 2010-04-11 06:34 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
    2010-04-11 06:34 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-11 06:34 . 2010-04-16 21:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-11 06:34 . 2010-04-11 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-11 06:34 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-02 18:21 . 2010-04-02 18:21 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\ICS
    2010-04-01 18:45 . 2010-04-01 18:45 -------- d-----w- c:\documents and settings\Brian\Application Data\Office Genuine Advantage

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-19 16:26 . 2004-08-11 22:00 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.sys
    2010-04-18 05:40 . 2008-05-11 04:50 -------- d-----w- c:\program files\RingJone
    2010-04-18 04:45 . 2010-04-16 20:34 117760 ----a-w- c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-04-16 20:34 . 2010-04-16 20:34 52224 ----a-w- c:\documents and settings\Brian\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-04-16 19:32 . 2006-06-14 17:52 64847 ----a-w- c:\windows\system32\nvModes.dat
    2010-04-16 17:42 . 2006-06-14 18:02 -------- d-----w- c:\program files\Common Files\Java
    2010-04-16 17:42 . 2010-04-16 17:42 503808 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6e399f56-n\msvcp71.dll
    2010-04-16 17:42 . 2010-04-16 17:42 499712 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6e399f56-n\jmc.dll
    2010-04-16 17:42 . 2010-04-16 17:42 348160 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6e399f56-n\msvcr71.dll
    2010-04-16 17:42 . 2010-04-16 17:42 61440 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-66ec1db0-n\decora-sse.dll
    2010-04-16 17:42 . 2010-04-16 17:42 12800 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-66ec1db0-n\decora-d3d.dll
    2010-04-16 17:41 . 2008-12-18 16:51 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-10 17:48 . 2008-07-08 15:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-10 17:47 . 2008-07-08 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-04-10 17:07 . 2008-12-03 18:36 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-04-01 16:43 . 2009-04-12 17:53 256 ----a-w- c:\windows\system32\pool.bin
    2010-03-30 09:19 . 2008-05-06 15:48 -------- d-----w- c:\documents and settings\Brian\Application Data\uTorrent
    2010-03-21 17:13 . 2006-06-21 01:11 -------- d-----w- c:\documents and settings\Brian\Application Data\Skype
    2010-03-21 15:30 . 2008-04-30 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
    2010-03-21 15:30 . 2008-04-30 19:14 -------- d-----w- c:\program files\Winamp Remote
    2010-03-21 15:02 . 2008-03-26 21:27 -------- d-----w- c:\documents and settings\Brian\Application Data\skypePM
    2010-03-11 12:38 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-03-11 12:38 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-11 12:38 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-03-09 21:50 . 2007-09-26 21:07 -------- d-----w- c:\program files\Winamp
    2010-03-09 21:49 . 2010-03-09 21:49 -------- d-----w- c:\program files\Winamp WINAMPONLY
    2010-03-09 21:41 . 2010-03-09 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-03-09 21:39 . 2006-06-14 18:15 -------- d-----w- c:\program files\QuickTime
    2010-03-09 21:34 . 2010-03-09 21:34 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-04 16:41 . 2010-01-08 18:08 -------- d-----w- c:\program files\Defraggler
    2010-02-18 19:06 . 2010-02-18 19:06 -------- d-----w- c:\program files\TweetDeck
    2010-02-10 05:10 . 2010-02-10 05:10 77916 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-01-21 23:37 . 2008-05-07 18:11 98184 ----a-w- c:\documents and settings\SPIDERMONKEY\ASPNET\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2008-02-07 18:44 . 2008-02-07 18:44 27976 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-02-07 18:44 . 2008-02-07 18:44 125848 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2008-02-07 18:44 . 2008-02-07 18:44 46408 -c--a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2007-11-09 21:10 . 2007-11-09 21:10 30288 -c--a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2007-11-09 21:10 . 2007-11-09 21:10 79440 -c--a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2007-11-09 21:10 . 2007-11-09 21:10 75344 -c--a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2007-11-09 21:10 . 2007-11-09 21:10 140880 -c--a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2007-11-09 21:10 . 2007-11-09 21:10 42576 -c--a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2007-11-09 21:10 . 2007-11-09 21:10 50768 -c--a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2008-02-07 18:44 . 2008-02-07 18:44 98712 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2007-11-09 21:10 . 2007-11-09 21:10 34384 -c--a-w- c:\program files\mozilla firefox\plugins\logging.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2007-11-09 21:11 . 2007-11-09 21:11 685648 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2007-11-09 21:11 . 2007-11-09 21:11 30288 -c--a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2004-08-04 10:00 . 2004-08-11 22:00 94784 -csh--w- c:\windows\twain.dll
    2008-04-14 00:12 . 2004-08-11 22:00 50688 --sh--w- c:\windows\twain_32.dll
    2006-02-17 02:33 . 2006-02-17 02:33 1216 -csh--w- c:\windows\Twunk_16.dll
    2006-02-17 02:33 . 2006-02-17 02:33 1216 -csh--w- c:\windows\Twunk_32.dll
    2006-06-21 01:28 . 2006-06-21 01:28 88 --sh--r- c:\windows\system32\12CD8DF12B.sys
    2006-06-21 00:01 . 2006-06-21 00:01 56 --sh--r- c:\windows\system32\2BF18DCD12.sys
    2006-06-21 01:28 . 2006-06-21 00:01 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2008-04-14 00:11 . 2004-08-11 22:00 1028096 --sha-w- c:\windows\system32\mfc42.dll
    2008-04-14 00:12 . 2004-08-11 22:00 57344 --sha-w- c:\windows\system32\msvcirt.dll
    2008-04-14 00:12 . 2004-08-11 22:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
    2008-04-14 00:12 . 2004-08-11 22:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
    2008-04-14 00:12 . 2004-08-11 22:00 84992 --sha-w- c:\windows\system32\olepro32.dll
    2008-04-14 00:12 . 2004-08-11 22:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
    "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
    "Nero PhotoShow Media Manager"="c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe" [2006-05-10 249856]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-07-31 139264]
    "OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "SlickRun"="c:\program files\SlickRun\sr.exe" [2007-03-21 187392]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "Google Update"="c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-05 133104]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-04-10 2010864]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
    "nwiz"="nwiz.exe" [2006-03-22 1519616]
    "NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2006-05-03 98304]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
    "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
    "MBMon"="CTMBHA.DLL" [2006-03-03 1355938]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-01-02 1126400]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
    "CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
    "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "WTClient"="WTClient.exe" [2007-04-11 40960]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
    "eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2009-11-24 906640]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-14 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
    hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-2 40960]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-9-3 66864]
    Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2007-7-29 81920]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-10 16:11 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmd21.sys]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
    backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
    2010-03-11 02:32 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GC75-Manager-Class]
    2004-04-08 10:36 766045 ------w- c:\program files\Sony Ericsson\Wireless Manager\GC75Manager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
    2007-07-25 21:30 974848 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
    2007-07-25 21:32 823296 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-02-15 23:50 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2006-06-14 18:15 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
    "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
    "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [6/7/2007 1:16 PM 18944]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 4:11 PM 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 4:11 PM 66632]
    S2 gupdate1c99460716cd960;Google Update Service (gupdate1c99460716cd960);c:\program files\Google\Update\GoogleUpdate.exe [2/21/2009 4:10 PM 133104]
    S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [3/4/2007 12:12 AM 202096]
    S2 MSSQL$DUMAS;MSSQL$DUMAS;c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sDUMAS --> c:\progra~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe -sDUMAS [?]
    S2 ReportServer;ReportServer;c:\program files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\bin\ReportingServicesService.exe [11/18/2003 9:24 AM 8192]
    S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\drivers\hpusbwdm.sys [1/5/2004 11:01 AM 1080832]
    S3 PCD5SRVC{FBEA8B78-1B22F121-05040000};PCD5SRVC{FBEA8B78-1B22F121-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms [12/5/2007 4:47 PM 20640]
    S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [2/26/2007 9:51 PM 18944]
    S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [4/23/2007 11:28 AM 10752]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 4:11 PM 12872]
    S3 SQLAgent$DUMAS;SQLAgent$DUMAS;c:\program files\Microsoft SQL Server\MSSQL$DUMAS\binn\sqlagent.exe -i DUMAS --> c:\program files\Microsoft SQL Server\MSSQL$DUMAS\binn\sqlagent.exe -i DUMAS [?]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
    .
    Contents of the 'Scheduled Tasks' folder

    2007-02-27 c:\windows\Tasks\FRU Task 2002-12-03 04:38ewlett-Packard2002-12-03 04:38p psc 1200 series84887B468ABA3F57D76752217D5938688025EB21155692949.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-03 00:38]

    2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 20:10]

    2010-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 20:10]

    2010-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-493193966-4068291066-1826140697-1005Core.job
    - c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 15:26]

    2010-04-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-493193966-4068291066-1826140697-1005UA.job
    - c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 15:26]

    2010-03-15 c:\windows\Tasks\McDefragTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2007-04-28 16:22]

    2010-04-01 c:\windows\Tasks\McQcTask.job
    - c:\program files\mcafee\mqc\QcConsol.exe [2007-04-28 16:22]

    2010-04-18 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://localhost/Procurement/Admin/SiteMap.aspx
    uInternet Settings,ProxyOverride = localhost
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    LSP: VLsp.dll
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\p6dqke3h.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
    FF - component: c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\p6dqke3h.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
    FF - plugin: c:\documents and settings\Brian\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npdeploytk.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npicaN.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npnul32.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\NPOFFICE.DLL
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\nppdf32.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin2.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin3.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin4.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin5.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin6.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npqtplugin7.dll
    FF - plugin: c:\progra~1\Mozilla Firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\Skyhook Wireless\Loki Browser Plugin\nploki.dll
    FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{85582241-0f62-414c-afa2-16254ae6bd04} - yonitino.dll
    HKLM-Run-jusanifowi - fimuwaho.dll
    HKLM-Run-wubazevon - c:\windows\system32\gobiheyi.dll
    SharedTaskScheduler-{efb16caf-c81d-40e5-85e1-42f4b0de8efd} - c:\windows\system32\gobiheyi.dll
    SSODL-hijawenum-{efb16caf-c81d-40e5-85e1-42f4b0de8efd} - c:\windows\system32\gobiheyi.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-19 12:44
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCD5SRVC{FBEA8B78-1B22F121-05040000}]
    "ImagePath"="\??\c:\progra~1\DELLSU~2\HWDiag\bin\PCD5SRVC.pkms"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(516)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(220)
    c:\windows\system32\WININET.dll
    c:\program files\Quick Search Deskbar\DQSDHost.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
    c:\program files\Quick Search Deskbar\DQSDTools.dll
    c:\windows\system32\ImgUtil.dll
    c:\program files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-19 12:53:15 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-19 16:53
    ComboFix2.txt 2010-04-15 23:40
    ComboFix3.txt 2010-04-15 18:37

    Pre-Run: 30,839,795,712 bytes free
    Post-Run: 30,828,843,008 bytes free

    - - End Of File - - B0C41D79D3FE857AFDD44C995A7DAA39

    ----
    HijackThis Log:
    ----

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:55:14, on 4/19/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17023)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/Procurement/Admin/SiteMap.aspx
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [WTClient] WTClient.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [eBook Library Launcher] C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [SlickRun] "C:\Program Files\SlickRun\sr.exe"
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Brian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKUS\S-1-5-18\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler (User 'Default user')
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1199738893296
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
    O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate1c99460716cd960) (gupdate1c99460716cd960) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
    O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 14077 bytes

  8. #58
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Looks like we got it

    How are things running now ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #59
    Member
    Join Date
    Apr 2010
    Posts
    45

    Default

    Initial tests look good! IE's search results are no longer hijacked, and Chrome is functional again!

    I also ran Spybot to see if it was once again operational. The scan found
    Virtumonde.sdn: C:\WINDOWS\system32\lesekanu, as well as a couple of Microsoft.WindowsSecurityCenter Override entries. So there may still be some nasty bits left on my PC. And unfortunately, Spybot still appears to be damaged, clicking fix to remove a few tracking cookies as a test resulted in the application hanging. Should I just reinstall it?

    Also, I'm still very interested in addressing the Java issue. I did some reading this weekend, and I suspect that old, less secure java code allowed this to happen in the first place. I also noted that approach some are recommending is completely uninstalling all the Java on the machine, and then installing the latest runtime, so it gets done right.

  10. #60
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Lets update your Java

    Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 20, if not proceed with the instructions.

    Download the latest version Here save it, do not install it yet.

    Java SE Runtime Environment (JRE)JRE 6 Update 20 <--The wording is confusing but this is what you need

    • Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
    • Reboot your computer
    • Install the latest version

    You can verify the installation Here



    Go ahead and uninstall and reinstall Spybot, make sure you have the latest version 1.6.2
    http://www.safer-networking.org/en/index.html




    Please download ATF Cleaner by Atribune to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
    Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





    Please download Malwarebytes from Here or Here
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report and also a new HJT log please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •