Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Can't get Virtumonde.prx trojan off my computer

  1. #1
    Junior Member
    Join Date
    Oct 2010
    Posts
    10

    Default Can't get Virtumonde.prx trojan off my computer

    Spy-bot S&D caught it but it still keeps popping up. Won't clean it.
    Here is the log:

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Compaq_Owner at 21:44:14.96 on Wed 10/20/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.332 [GMT -5:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    f:\Program Files\iWin Games\iWinTrusted.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ACT\ACT for Windows\Act8.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Portrait Displays\Pivot Software\floater.exe
    C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    c:\windows\system\hpsysdrv.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\Fred Pics\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://news.google.com/
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [Fqibinag] rundll32.exe "c:\windows\sgmsau.dll",Startup
    mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
    mRun: [PCDrProfiler]
    mRun: [hpqSRMon]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
    mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Bladegifop] rundll32.exe "c:\windows\ekilimel.dll",Startup
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: microsoft.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
    R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
    S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]

    =============== Created Last 30 ================

    2010-10-19 06:00:35 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{bc45fed6-0281-4ab7-822b-24316d970d29}\mpengine.dll
    2010-10-19 01:24:57 0 ----a-w- c:\windows\Qworof.bin
    2010-10-19 01:24:54 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\{D65B0306-13C7-4295-A32B-C2C9310980C2}
    2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
    2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
    2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
    2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
    2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
    2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
    2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
    2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
    2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
    2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
    2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
    2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
    2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
    2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
    2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
    2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
    2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
    2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
    2010-09-24 17:11:42 796672 ----a-w- c:\windows\system32\drivers\umdf\ZuneDriver.dll
    2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
    2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
    2010-09-24 17:06:10 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys

    ==================== Find3M ====================

    2010-10-21 02:19:24 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-27 23:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-07-27 23:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

    ============= FINISH: 21:45:46.92 ===============
    Last edited by tashi; 2010-10-21 at 20:53. Reason: Moved from Spybot-S&D forum

  2. #2
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Hello and welcome to Safer Networking.

    My name is km2357 and I will be helping you to remove any infection(s) that you may have.

    I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

    If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

    Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

    Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

    Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


    Step # 1 Download and run DDS

    Download DDS and save it to your desktop from here or here or here
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.



    Step # 2: Download and Run Gmer

    Please download gmer.zip from Gmer and save it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.


    In your next post/reply, I need to see the following:

    1. The two DDS Logs (DDS and Attach.txt)
    2. The GMER Log

    Use multiple posts if you can't fit everything into one post
    Malware Removal University Master
    Member of ASAP & UNITE

  3. #3
    Junior Member
    Join Date
    Oct 2010
    Posts
    10

    Default

    Here are the DDS files requested (see below & attached zip file). When I tried to run GMER, this is what I got when it seemed to have finished the scan:
    Windows - Delayed Write Failed
    Windows was unable to save all the data for the file \Device\Harddisk\Volume2\$Mft. The data has been lost. This error may have been caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

    There were errors like this one with about 4 other files. When I tried to save the log to my desktop, it locked up & wouldn't save or cancel, so I lost it. I will attempt to re-run it & post it. (It may take awhile.)

    DDS (Ver_10-10-21.02) - NTFSx86
    Run by Compaq_Owner at 19:14:15.40 on Tue 10/26/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.299 [GMT -5:00]

    AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    f:\Program Files\iWin Games\iWinTrusted.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ACT\ACT for Windows\Act8.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files\Portrait Displays\Pivot Software\floater.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\Fred Pics\dds (1).scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://news.google.com/
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
    mRun: [PCDrProfiler]
    mRun: [hpqSRMon]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
    mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Bladegifop] rundll32.exe "c:\windows\ekilimel.dll",Startup
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: microsoft.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
    R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
    S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]

    =============== Created Last 30 ================

    2010-10-23 22:42:34 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6733bc39-b0c4-4068-b54c-d9854869d80d}\mpengine.dll
    2010-10-19 01:24:57 0 ----a-w- c:\windows\Qworof.bin
    2010-10-19 01:24:54 -------- d-----w- c:\docume~1\compaq~1\locals~1\applic~1\{D65B0306-13C7-4295-A32B-C2C9310980C2}
    2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
    2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
    2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
    2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
    2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
    2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
    2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
    2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
    2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
    2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
    2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
    2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

    ==================== Find3M ====================

    2010-10-25 17:49:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
    2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
    2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
    2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
    2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
    2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
    2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
    2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
    2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
    2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    ============= FINISH: 19:15:51.84 ===============

  4. #4
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    There were errors like this one with about 4 other files. When I tried to save the log to my desktop, it locked up & wouldn't save or cancel, so I lost it. I will attempt to re-run it & post it. (It may take awhile.)
    Ok, if you're unable to a GMER Log when running it a 2nd time, let me know and we'll try another rootkit scanner.
    Malware Removal University Master
    Member of ASAP & UNITE

  5. #5
    Junior Member
    Join Date
    Oct 2010
    Posts
    10

    Default

    Got the GMER to run successfully this time. Note: I have more than 1 hard drive on this computer, thought I should mention it in case that is important. (BTW,thanks for all your help.)

    Here are the results:


    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-27 15:52:59
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pglyqpow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b@0012d11e226a 0x89 0xC5 0x27 0xC8 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000b0d0b4d1b@0012d11e226a 0x89 0xC5 0x27 0xC8 ...

    ---- EOF - GMER 1.0.15 ----

  6. #6
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Step # 1: Download and Run ComboFix

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    *Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.
    Malware Removal University Master
    Member of ASAP & UNITE

  7. #7
    Junior Member
    Join Date
    Oct 2010
    Posts
    10

    Default

    Here is the ComboFix log:


    ComboFix 10-10-26.04 - Compaq_Owner 10/27/2010 20:59:04.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.466 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Compaq_Owner\Application Data\avdrn.dat
    c:\documents and settings\Compaq_Owner\g2mdlhlpx.exe
    c:\documents and settings\Compaq_Owner\Recent\Thumbs.db
    D:\Autorun.inf
    G:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
    .

    2010-10-23 22:42 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6733BC39-B0C4-4068-B54C-D9854869D80D}\mpengine.dll
    2010-10-19 01:24 . 2010-10-20 01:38 0 ----a-w- c:\windows\Qworof.bin
    2010-10-19 01:24 . 2010-10-19 01:24 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\{D65B0306-13C7-4295-A32B-C2C9310980C2}
    2010-10-18 19:10 . 2010-10-18 19:10 -------- d-----w- c:\program files\iPod
    2010-10-18 19:10 . 2010-10-18 19:11 -------- d-----w- c:\program files\iTunes
    2010-10-18 19:04 . 2010-10-18 19:04 -------- d-----w- c:\program files\Bonjour
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-PT
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-BR
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\nl-NL
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\it-IT
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\fr-FR
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\es-ES
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\de-DE
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-BR
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-PT
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\nl-NL
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\it-IT
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\de-DE
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\fr-FR
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\es-ES
    2010-10-15 15:53 . 2010-10-15 15:53 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
    2010-10-14 16:30 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-14 16:30 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-14 16:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 20:51 . 2009-12-02 00:16 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2009-12-02 06:54 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
    2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
    2010-09-24 18:25 . 2010-09-24 18:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
    2010-09-24 18:19 . 2010-09-24 18:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
    2010-09-24 18:19 . 2010-09-24 18:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
    2010-09-24 17:14 . 2010-09-24 17:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
    2010-09-24 17:11 . 2010-09-24 17:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
    2010-09-24 17:11 . 2010-09-24 17:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
    2010-09-24 17:11 . 2010-09-24 17:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
    2010-09-24 17:11 . 2010-09-24 17:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
    2010-09-24 17:11 . 2010-09-24 17:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
    2010-09-24 17:11 . 2010-09-24 17:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll
    2010-09-24 17:11 . 2010-09-24 17:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
    2010-09-24 17:11 . 2010-09-24 17:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
    2010-09-24 17:06 . 2010-09-24 17:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
    2010-09-24 16:31 . 2009-08-17 17:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2010-09-18 17:23 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-01-28 14:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-18 06:53 . 2008-01-28 14:16 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-10 05:58 . 2008-01-28 14:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2008-01-28 14:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2008-01-28 14:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2008-01-28 16:34 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2008-01-28 14:20 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2008-01-28 14:20 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2008-01-28 14:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2008-01-28 14:18 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 00:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2008-01-28 16:34 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2008-01-28 14:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2008-01-28 14:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2008-03-29 02:40 . 2008-03-29 02:40 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-03-29 02:40 . 2008-03-29 02:40 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2008-03-29 02:40 . 2008-03-29 02:40 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-27 198160]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-06 1015808]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
    "DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "f:\\Program Files\\iWin Games\\iWinGames.exe"=
    "f:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 iWinTrusted;iWinTrusted;f:\program files\iWin Games\iWinTrusted.exe [7/9/2009 3:21 PM 78104]
    R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [11/21/2009 5:22 PM 109168]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2010 11:35 PM 136176]
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\DRIVERS\BLKWGD.sys --> c:\windows\system32\DRIVERS\BLKWGD.sys [?]
    S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 1:19 PM 268528]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - pglyqpow

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]

    2010-10-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]

    2010-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009Core.job
    - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]

    2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009UA.job
    - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://news.google.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: microsoft.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
    HKLM-Run-PCDrProfiler - (no file)
    HKLM-Run-hpqSRMon - (no file)
    HKLM-Run-Bladegifop - c:\windows\ekilimel.dll
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    AddRemove-__KITTY_LUV___is1 - c:\program files\Kitty Luv\unins000.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-27 21:25
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(676)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-10-27 21:34:50
    ComboFix-quarantined-files.txt 2010-10-28 02:34

    Pre-Run: 103,471,718,400 bytes free
    Post-Run: 104,223,494,144 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 0F9E3BDFD9E6F337CC32BA9F8728F9F1

  8. #8
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Step # 1: Disable Teatimer

    Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

    This is a two step process.
    First step:
    • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
    • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
    • If you have Version 1.4, Click on Exit Spybot S&D Resident


    Second step, For Either Version :
    • Open Spybot S&D
    • Click Mode, choose Advanced Mode
    • Go To the bottom of the Vertical Panel on the Left, Click Tools
    • then, also in left panel, click Resident shows a red/white shield.
    • If your firewall raises a question, say OK
    • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
    • OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.



    Step # 2: Run CFScript

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      KILLALL::
      
      File::
      
      c:\windows\Qworof.bin
      
      DDS::
      
      TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







      Note: This CFScript is for use on freder1ck's computer only! Do not use it on your computer.

    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


    In your next post/reply, I need to see the following:

    1. The ComboFix Log that appears after Step 2 has been completed.
    2. A fresh DDS Log taken after Step 2 has been completed.
    Malware Removal University Master
    Member of ASAP & UNITE

  9. #9
    Junior Member
    Join Date
    Oct 2010
    Posts
    10

    Default

    OK, here is the 2nd ComboFix log (and underneath that the fresh DDS log):

    ComboFix 10-10-26.04 - Compaq_Owner 10/29/2010 11:05:00.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.666 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    FILE ::
    "c:\windows\Qworof.bin"
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))
    .

    2010-10-29 15:31 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5431F9F3-C2A4-46BB-8B39-BE6DDCAB2565}\mpengine.dll
    2010-10-18 19:10 . 2010-10-18 19:10 -------- d-----w- c:\program files\iPod
    2010-10-18 19:10 . 2010-10-18 19:11 -------- d-----w- c:\program files\iTunes
    2010-10-18 19:04 . 2010-10-18 19:04 -------- d-----w- c:\program files\Bonjour
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-PT
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\pt-BR
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\nl-NL
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\it-IT
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\fr-FR
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\es-ES
    2010-10-15 16:48 . 2010-10-15 16:48 -------- d-----w- c:\windows\system32\de-DE
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-BR
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\pt-PT
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\nl-NL
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\it-IT
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\de-DE
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\fr-FR
    2010-10-15 15:55 . 2010-10-15 15:55 -------- d-----w- c:\windows\system32\drivers\UMDF\es-ES
    2010-10-15 15:53 . 2010-10-15 15:53 -------- d-----w- c:\windows\system32\drivers\UMDF\en-US
    2010-10-14 16:30 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-14 16:30 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-14 16:30 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 20:51 . 2009-12-02 00:16 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2009-12-02 06:54 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-PT\ZuneDriver.dll.mui
    2010-09-24 18:25 . 2010-09-24 18:25 6144 ----a-w- c:\windows\system32\drivers\UMDF\pt-BR\ZuneDriver.dll.mui
    2010-09-24 18:25 . 2010-09-24 18:25 6656 ----a-w- c:\windows\system32\drivers\UMDF\nl-NL\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\it-IT\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\fr-FR\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6656 ----a-w- c:\windows\system32\drivers\UMDF\es-ES\ZuneDriver.dll.mui
    2010-09-24 18:24 . 2010-09-24 18:24 6144 ----a-w- c:\windows\system32\drivers\UMDF\de-DE\ZuneDriver.dll.mui
    2010-09-24 18:19 . 2010-09-24 18:19 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
    2010-09-24 18:19 . 2010-09-24 18:19 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
    2010-09-24 17:14 . 2010-09-24 17:14 6144 ----a-w- c:\windows\system32\drivers\UMDF\en-US\ZuneDriver.dll.mui
    2010-09-24 17:11 . 2010-09-24 17:11 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
    2010-09-24 17:11 . 2010-09-24 17:11 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
    2010-09-24 17:11 . 2010-09-24 17:11 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
    2010-09-24 17:11 . 2010-09-24 17:11 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
    2010-09-24 17:11 . 2010-09-24 17:11 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
    2010-09-24 17:11 . 2010-09-24 17:11 796672 ----a-w- c:\windows\system32\drivers\UMDF\ZuneDriver.dll
    2010-09-24 17:11 . 2010-09-24 17:11 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
    2010-09-24 17:11 . 2010-09-24 17:11 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
    2010-09-24 17:06 . 2010-09-24 17:06 41472 ----a-w- c:\windows\system32\drivers\zumbus.sys
    2010-09-24 16:31 . 2009-08-17 17:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2010-09-18 17:23 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-01-28 14:16 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-01-28 14:16 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-18 06:53 . 2008-01-28 14:16 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-10 05:58 . 2008-01-28 14:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2008-01-28 14:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2008-01-28 14:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2008-01-28 16:34 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2008-01-28 14:20 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2008-01-28 14:20 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2008-01-28 14:18 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2008-01-28 14:18 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 00:07 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2008-01-28 16:34 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17 . 2008-01-28 14:18 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45 . 2008-01-28 14:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2008-03-29 02:40 . 2008-03-29 02:40 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-03-29 02:40 . 2008-03-29 02:40 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2008-03-29 02:40 . 2008-03-29 02:40 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-27 198160]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "Act! Preloader"="c:\program files\ACT\ACT for Windows\Act8.exe" [2006-04-06 1015808]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
    "DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-7 27136]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "f:\\Program Files\\iWin Games\\iWinGames.exe"=
    "f:\\Program Files\\iWin Games\\WebUpdater.exe"=
    "c:\\Program Files\\ACT\\ACT for Windows\\Act8.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 iWinTrusted;iWinTrusted;f:\program files\iWin Games\iWinTrusted.exe [7/9/2009 3:21 PM 78104]
    R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7 [?]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [11/21/2009 5:22 PM 109168]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/15/2010 11:35 PM 136176]
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\DRIVERS\BLKWGD.sys --> c:\windows\system32\DRIVERS\BLKWGD.sys [?]
    S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 --> c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7 [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [9/24/2010 1:19 PM 268528]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]

    2010-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-05-16 04:47]

    2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009Core.job
    - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]

    2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-904784269-2011242793-1284138811-1009UA.job
    - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 01:53]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://news.google.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: microsoft.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-10-29 11:19
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(676)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(3920)
    c:\windows\system32\WININET.dll
    c:\progra~1\WINDOW~1\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Portrait Displays\Pivot Software\winphook.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Essentials\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
    c:\windows\system32\ZuneBusEnum.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Portrait Displays\Pivot Software\floater.exe
    c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    c:\program files\Acer Display\eDisplay Management\DTHtml.exe
    c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\ALCXMNTR.EXE
    c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-29 11:26:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-29 16:26
    ComboFix2.txt 2010-10-29 04:04
    ComboFix3.txt 2010-10-28 02:34

    Pre-Run: 105,828,130,816 bytes free
    Post-Run: 105,819,549,696 bytes free

    - - End Of File - - 1DD944FC28ACD7FD80AC4EB50C67E25C


    Here is the DDS log taken after rerunning the ComboFix per your instructions. Also see attached file.



    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Compaq_Owner at 12:10:57.10 on Fri 10/29/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1214.545 [GMT -5:00]

    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    f:\Program Files\iWin Games\iWinTrusted.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ACT\ACT for Windows\Act8.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Portrait Displays\Pivot Software\floater.exe
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
    C:\Program Files\Acer Display\eDisplay Management\DTHtml.exe
    C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://news.google.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    uRun: [Google Update] "c:\documents and settings\compaq_owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [Act! Preloader] "c:\program files\act\act for windows\Act8.exe" -stayrunning
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
    mRun: [DT ACR] c:\program files\common files\portrait displays\shared\DT_startup.exe -ACR
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: microsoft.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215052412265
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    R2 iWinTrusted;iWinTrusted;f:\program files\iwin games\iWinTrusted.exe [2009-7-9 78104]
    R2 MSSQL$ACT7;MSSQL$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sact7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlservr.exe -sACT7 [?]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2009-11-21 109168]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 136176]
    S3 BLKWGD;Belkin Wireless G Desktop Card Service;c:\windows\system32\drivers\blkwgd.sys --> c:\windows\system32\drivers\BLKWGD.sys [?]
    S3 SQLAgent$ACT7;SQLAgent$ACT7;c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.exe -i act7 --> c:\program files\microsoft sql server\mssql$act7\binn\sqlagent.EXE -i ACT7 [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]

    =============== Created Last 30 ================

    2010-10-29 17:05:22 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6c6fe288-8afd-48b7-92fd-b95ea101ace2}\mpengine.dll
    2010-10-29 16:02:49 -------- d-----w- C:\ComboFix
    2010-10-28 01:52:16 -------- d-sha-r- C:\cmdcons
    2010-10-28 01:47:30 79872 ----a-w- c:\windows\MBR.exe
    2010-10-28 01:47:30 256512 ----a-w- c:\windows\PEV.exe
    2010-10-28 01:47:30 161792 ----a-w- c:\windows\SWREG.exe
    2010-10-28 01:47:29 98816 ----a-w- c:\windows\sed.exe
    2010-10-18 19:10:34 -------- d-----w- c:\program files\iPod
    2010-10-18 19:10:28 -------- d-----w- c:\program files\iTunes
    2010-10-18 19:04:32 -------- d-----w- c:\program files\Bonjour
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-PT
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\pt-BR
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\nl-NL
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\it-IT
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\fr-FR
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\es-ES
    2010-10-15 16:48:42 -------- d-----w- c:\windows\system32\de-DE
    2010-10-15 15:55:58 -------- d-----w- c:\windows\system32\drivers\umdf\pt-BR
    2010-10-15 15:55:56 -------- d-----w- c:\windows\system32\drivers\umdf\pt-PT
    2010-10-15 15:55:53 -------- d-----w- c:\windows\system32\drivers\umdf\nl-NL
    2010-10-15 15:55:50 -------- d-----w- c:\windows\system32\drivers\umdf\it-IT
    2010-10-15 15:55:46 -------- d-----w- c:\windows\system32\drivers\umdf\de-DE
    2010-10-15 15:55:41 -------- d-----w- c:\windows\system32\drivers\umdf\fr-FR
    2010-10-15 15:55:37 -------- d-----w- c:\windows\system32\drivers\umdf\es-ES
    2010-10-15 15:53:59 -------- d-----w- c:\windows\system32\drivers\umdf\en-US
    2010-10-14 16:30:14 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-14 16:30:13 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-14 16:30:00 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

    ==================== Find3M ====================

    2010-10-29 16:19:39 1838 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-24 18:19:16 444656 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
    2010-09-24 18:19:08 57072 ----a-w- c:\windows\system32\ZuneBusEnum.exe
    2010-09-24 17:11:44 65024 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
    2010-09-24 17:11:44 58368 ----a-w- c:\windows\system32\ZuneRegUtil.dll
    2010-09-24 17:11:44 46080 ----a-w- c:\windows\system32\ZunePTDNS.dll
    2010-09-24 17:11:44 365056 ----a-w- c:\windows\system32\ZuneNetProxy.dll
    2010-09-24 17:11:44 130560 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
    2010-09-24 17:11:42 205824 ----a-w- c:\windows\system32\ZuneCoInst.dll
    2010-09-24 17:11:42 203776 ----a-w- c:\windows\system32\ZuneMTPZ.dll
    2010-09-24 16:31:24 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    ============= FINISH: 12:11:58.01 ===============

  10. #10
    Emeritus
    Join Date
    Aug 2007
    Posts
    1,875

    Default

    Step # 1 Update Java

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

    Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u22.
    • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Remove the following old versions of Java:

    • J2SE Runtime Environment 5.0 Update 5

      Java(TM) 6 Update 5

      Java(TM) 6 Update 17


    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • From your desktop double-click on the download to install the newest version.




    Step # 2: Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Step # 3 Download and Run Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.


    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


    Post the MalwareBytes' Log in your next post/reply.
    Malware Removal University Master
    Member of ASAP & UNITE

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •