Strange Goings On II

Tim,

What I did was have you run a Rootkit scanner, this type of infection does not show up on most regular scanners as it hides itself, and this program is one of the best for finding rootkits and it found none.

Why dont you post here in this AVG forum for help with there product, looks like other people are having the same issue
http://forums.avg.com/us-en/avg-free-forum

Ken :)
 
Step 8

Hi,

Thank you. I'll try the link you sent and see what happens. Thanks for all the help.

Tim Kimbley
 
Your welcome Tim,

Keep in mind that when you have problems on your system, there not always related to malware, there could be many causes, corrupted programs, missing drivers and even failing hardware and the list goes on.

Take Care,

Ken :)
 
I'm Back

Since your last reply I did some searching and researching. I have ha a program in Control Panel>Add/Remove Programs that I have not been able to uninstall. There just is no Remove button when highlited. It is Microsoft Visual J# .NET Redistributable Package 1.1. In my research at MS I found that this is a developer tool and I do not need or want it but haven't been able to get it to show up on any scans we or I have done.
I was looking for a way to get rid of that get Plus (R) Helper 3004 as I had found that these files are part of Adobe Reader 6.0 install and should delete themselves upon install therefore they shouldn't be there and Adobe says to delete them, whiich I did delete the NOS folder in C:\Program Files where this file resided but get Plus (R) Helper 3004 is running as a service in services and does not allow any option to delete it. While attempting to delete this service with HJT I clicked on Properties for this file in Services and it showed the path to be C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper. I went looking and in WINDOWS there was no System32 folder, rather a system32 folder. I did not find this file but in my search I looked in the Installer (hidden) folder and found files in C:\WINDOWS\Microsoft.NET\Framework\VJSharp\VJSharpSxS10.dll and VJSWfcHost.dll. These raised my suspicions that I had finally found the elusive MS Visual J# .NET Framework Redistributable Package 1.1 that I want to delete.
After CAREFUL reading I downloaded ComboFix, saved it to Desktop as Combo-Fix and ran it. It turned up the jsharp files. I am sending the ComboFix log for your review. As you will notice these jsharp files are in the long strings.

ComboFix Log 3-2-11

ComboFix 11-03-02.01 - Owner 03/02/2011 13:33:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.140 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-03-01 19:55 . 2011-03-01 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-21 21:02 . 2011-02-21 21:02 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 19:35 . 2011-02-21 21:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-21 19:35 . 2011-02-21 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-18 13:33 . 2011-02-18 13:33 -------- d-----w- c:\documents and settings\Owner\My Scans
2011-02-17 13:46 . 2011-02-17 13:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Template
2011-02-17 13:36 . 2011-02-21 21:01 -------- d-----w- C:\MSOffice(2)
2011-02-15 18:52 . 2011-02-15 18:52 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2011-02-10 17:48 . 2011-02-21 21:01 -------- d-----w- c:\program files\RegScrubXP
2011-02-08 17:48 . 2011-03-01 20:20 -------- d-----w- c:\program files\Trend Micro
2011-02-07 13:37 . 2011-02-07 13:37 -------- d-----w- c:\program files\Reference Assemblies
2011-02-04 19:34 . 2011-02-04 19:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-04 19:34 . 2011-02-04 19:34 -------- d-----w- c:\documents and settings\Owner\log

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-06-07 22:09 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-10 18:16 . 2011-01-10 18:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-10 18:16 . 2011-01-10 18:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 14:09 . 2004-06-07 22:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 16:09 . 2011-01-06 16:09 32768 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pchapi.dll
2011-01-06 16:09 . 2011-01-06 16:09 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\ZipLib.dll
2011-01-06 16:09 . 2011-01-06 16:09 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pchmsxml.dll
2011-01-06 16:09 . 2011-01-06 16:09 26572 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\INV16.dll
2011-01-06 16:09 . 2011-01-06 16:09 3072 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pchealthde.exe
2011-01-06 16:09 . 2011-01-06 16:09 5632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\GUI.dll
2011-01-06 16:09 . 2011-01-06 16:09 139264 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\ContentUpdater.exe
2011-01-06 16:09 . 2011-01-06 16:09 45056 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\util.dll
2011-01-06 16:09 . 2011-01-06 16:09 24576 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pcdapi.dll
2011-01-06 16:09 . 2011-01-06 16:09 98304 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\PluginCtrl.dll
2011-01-06 16:09 . 2011-01-06 16:09 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\msxmlwrapper.dll
2011-01-06 16:09 . 2011-01-06 16:09 344064 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\api.dll
2011-01-06 16:09 . 2011-01-06 16:09 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\asst_ui.dll
2011-01-06 16:08 . 2011-01-06 16:08 282624 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\clientutil52.dll
2011-01-06 16:08 . 2011-01-06 16:08 356352 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\client_motkt.dll
2011-01-06 16:08 . 2011-01-06 16:08 20480 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\InetCheckWrap.dll
2011-01-06 16:08 . 2011-01-06 16:08 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\PCHI18N.dll
2011-01-06 16:08 . 2011-01-06 16:08 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\pchnotify.exe
2011-01-06 16:08 . 2011-01-06 16:08 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\WinVerifyTrust.dll
2011-01-06 16:08 . 2011-01-06 16:08 4096 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\winverifytrustwrapper.dll
2011-01-06 16:08 . 2011-01-06 16:08 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\pchmsxml.dll
2011-01-06 16:08 . 2011-01-06 16:08 212992 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\jsharpinterp.dll
2011-01-06 16:08 . 2011-01-06 16:08 159744 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\PCHButton.exe
2011-01-06 16:08 . 2011-01-06 16:08 434176 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\motivede.dll
2011-01-06 16:08 . 2011-01-06 16:08 36864 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\gnu.dll
2011-01-06 16:08 . 2011-01-06 16:08 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\hwinv.dll
2011-01-06 16:08 . 2011-01-06 16:08 126976 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\SearchCtrl.dll
2011-01-06 16:08 . 2011-01-06 16:08 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\FDIWrapper.dll
2011-01-06 16:08 . 2011-01-06 16:08 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\msxmlwrapper.dll
2011-01-06 16:08 . 2011-01-06 16:08 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\pchealthplugin.dll
2010-12-31 13:10 . 2004-04-02 06:52 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-06-07 22:32 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-06-07 22:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-06-07 22:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-06-07 22:33 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2011-01-06 16:07 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-04-02 06:52 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-06-07 22:32 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-04-02 06:52 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 08:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
S2 LinksysUpdater;Linksys Updater;"c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "c:\program files\Linksys\Linksys Updater\conf\wrapper.conf" --> c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [?]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [6/7/2004 4:09 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 13:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1847296987-2612838788-886327785-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2011-03-02 13:45:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-02 19:45

Pre-Run: 63,519,031,296 bytes free
Post-Run: 63,451,639,808 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 590401070616869110C053022084D660
 
You must log in or register to reply here.
Back
Top