Tech Support Forum - View Single Post

CindyGrinz · 11-02-2008, 04:47 PM

I did everything you told me to do.
You have no idea how very grateful I am for all your help.
It seems to have worked.

I have the desktop back including tool bar and icons.

Thank you kindly Katana!

Please find below all three logs you have asked me to post.

Should I rescan hijack this and post a new log or should everything be fine now?

======================================================
Malwarebytes' Anti-Malware 1.30
Database version: 1354
Windows 5.1.2600 Service Pack 3

01/11/2008 7:26:34 PM
mbam-log-2008-11-01 (19-26-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 121330
Time elapsed: 35 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3912dde2-4295-4a5f-a8e4-a1b1c7ef7313} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\_unodbc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\TinyProxy (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\690974 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\907465 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\846888 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\_unodbc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

========================================

SDFix: Version 1.238
Run by Administrator on 01/11/2008 at 07:44 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 20:42:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Murray\Local Settings\Temporary Internet Files\Content.IE5\6E24DJ5E\CAWG7E49CA4CWUH6CAB01MJXCAEA4FKHCAH18PFGCAD194MWCA2K8WIWCAL0TTQ5CAK38RR6CAMLMQ7DCAJ0N3K0CAUZ6EIYCAHSY1TDCAK48RNYCALWWQHECA2YK2LICAO2IG7GCAJB1ZTVCAQJI7QGCA41XTVM 0 bytes
C:\Documents and Settings\Murray\Local Settings\Temporary Internet Files\Content.IE5\6E24DJ5E\wbk300.tmp 5827 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Disabled:Logitech Desktop Messenger"
"C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"="C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe:*:Enabled:ACT! 7.x/2005"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Disabled:Windowsr NetMeetingr"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Synology Assistant\\DSAssistant.exe"="C:\\Program Files\\Synology Assistant\\DSAssistant.exe:*:Enabled:Synology Assistant"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\tinyproxy\\tinyproxy1.exe"="C:\\Program Files\\tinyproxy\\tinyproxy1.exe:*:Enabled:TINYPROXY"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 15 Sep 2008 12,032 ..SHR --- "C:\Program Files\ProtectService\ProtectService.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Thu 9 Dec 2004 56 ..SHR --- "C:\WINDOWS\SYSTEM32\E91688A5BD.sys"
Thu 9 Dec 2004 1,682 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys"
Mon 27 Oct 2008 18,432 A..H. --- "C:\Documents and Settings\Murray\Application Data\EHEncrypt.dll"
Mon 27 Oct 2008 19,968 A..H. --- "C:\Documents and Settings\Murray\Application Data\EHMD5.dll"
Mon 27 Oct 2008 52,224 A..H. --- "C:\Documents and Settings\Murray\Application Data\EHZComp.dll"
Mon 27 Oct 2008 33,280 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSEncryptPlugin1636.dll"
Mon 27 Oct 2008 36,352 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSFolderitemsCreatePlugin1635.dll"
Mon 27 Oct 2008 32,256 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSIconPlugin1635.dll"
Mon 27 Oct 2008 28,672 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSMacOSXPlugin1635.dll"
Mon 27 Oct 2008 41,984 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSMainPlugin1635.dll"
Mon 27 Oct 2008 29,184 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSMemoryPlugin1635.dll"
Mon 27 Oct 2008 53,760 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSPicturePlugin1635.dll"
Mon 27 Oct 2008 37,376 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSPictureMacPlugin1635.dll"
Mon 27 Oct 2008 25,088 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSPluginVersionPlugin1635.dll"
Mon 27 Oct 2008 32,256 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSProcessPlugin1636.dll"
Mon 27 Oct 2008 54,272 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSQTImporterPlugin1635.dll"
Mon 27 Oct 2008 49,664 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSQuickTimePlugin1636.dll"
Mon 27 Oct 2008 29,184 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSRectPlugin1635.dll"
Mon 27 Oct 2008 26,112 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSRegistrationPlugin1636.dll"
Mon 27 Oct 2008 36,352 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSRegistryPlugin1636.dll"
Mon 27 Oct 2008 48,128 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSResPlugin1635.dll"
Mon 27 Oct 2008 26,112 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSResStreamPlugin1635.dll"
Mon 27 Oct 2008 26,624 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSUsernamePlugin1635.dll"
Mon 27 Oct 2008 51,712 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSWinPlugin1635.dll"
Mon 27 Oct 2008 64,512 A..H. --- "C:\Documents and Settings\Murray\Application Data\rbap450.dll"
Mon 27 Oct 2008 75,776 A..H. --- "C:\Documents and Settings\Murray\Application Data\rbqt450.DLL"
Mon 27 Oct 2008 41,472 A..H. --- "C:\Documents and Settings\Murray\Application Data\RBShell400.dll"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!

ComboFix 08-11-02.03 - Administrator 2008-11-02 16:53:58.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.473 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.MURRAY-LAPTOP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Murray\Application Data\EHMD5.dll
C:\Documents and Settings\Murray\Application Data\MBSEncryptPlugin1636.dll
C:\Documents and Settings\Murray\Application Data\MBSFolderitemsCreatePlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSIconPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSMacOSXPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSMainPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSMemoryPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSPictureMacPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSPicturePlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSPluginVersionPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSProcessPlugin1636.dll
C:\Documents and Settings\Murray\Application Data\MBSQTImporterPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSQuickTimePlugin1636.dll
C:\Documents and Settings\Murray\Application Data\MBSRectPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSRegistrationPlugin1636.dll
C:\Documents and Settings\Murray\Application Data\MBSRegistryPlugin1636.dll
C:\Documents and Settings\Murray\Application Data\MBSResPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSResStreamPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSUsernamePlugin1635.dll
C:\Documents and Settings\Murray\Application Data\MBSWinPlugin1635.dll
C:\Documents and Settings\Murray\Application Data\rbap450.dll
C:\Documents and Settings\Murray\Application Data\rbqt450.DLL
C:\Documents and Settings\Murray\Application Data\RBShell400.dll
C:\Program Files\ProtectService
C:\Program Files\ProtectService\ProtectService.exe
C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-01 18:42 . 2008-11-01 18:42 578,560 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-11-01 18:39 . 2008-11-01 18:40 <DIR> d-------- C:\WINDOWS\ERUNT
2008-11-01 17:31 . 2008-11-01 17:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-01 17:31 . 2008-11-01 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-01 17:31 . 2008-11-01 17:31 <DIR> d-------- C:\Documents and Settings\Administrator.MURRAY-LAPTOP\Application Data\Malwarebytes
2008-11-01 17:31 . 2008-10-22 15:10 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-01 17:31 . 2008-10-22 15:10 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-11-01 17:30 . 2008-11-01 19:48 <DIR> d-------- C:\SDFix
2008-10-31 19:27 . 2008-10-31 19:27 <DIR> d-------- C:\rsit
2008-10-31 19:27 . 2008-10-31 19:27 <DIR> d-------- C:\Program Files\trend micro
2008-10-31 19:26 . 2008-10-31 19:26 <DIR> d-------- C:\Documents and Settings\Administrator.MURRAY-LAPTOP
2008-10-31 09:14 . 2008-10-31 09:14 <DIR> d-------- C:\Documents and Settings\FixIt.MURRAY-LAPTOP
2008-10-29 10:05 . 2008-06-19 16:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-10-29 10:04 . 2008-10-29 10:04 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-10-29 10:04 . 2008-10-29 10:04 <DIR> d-------- C:\Program Files\Panda Security
2008-10-28 15:47 . 2008-10-28 15:49 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-10-27 08:09 . 2008-10-27 08:09 52,224 --ah----- C:\Documents and Settings\Murray\Application Data\EHZComp.dll
2008-10-27 08:09 . 2008-10-27 08:09 18,432 --ah----- C:\Documents and Settings\Murray\Application Data\EHEncrypt.dll
2008-10-15 02:55 . 2008-09-08 05:41 333,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys
2008-10-15 02:53 . 2008-08-14 05:11 2,189,184 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe
2008-10-15 02:53 . 2008-08-14 05:09 2,145,280 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe
2008-10-15 02:53 . 2008-08-14 04:33 2,066,048 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe
2008-10-15 02:53 . 2008-08-14 04:33 2,023,936 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe
2008-10-15 02:53 . 2008-09-15 07:12 1,846,400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-30 16:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-27 14:31 --------- d-----w C:\Program Files\ACT
2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-19 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-18 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-18 16:57 --------- d-----w C:\Program Files\Lavasoft
2008-09-18 16:57 --------- d-----w C:\Documents and Settings\Murray\Application Data\Lavasoft
2008-09-18 16:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-18 13:48 --------- d-----w C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-15 16:39 --------- d-----w C:\Program Files\Yahoo!
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-09-11 18:13 --------- d-----w C:\Program Files\Zoom Player
2008-09-09 15:21 --------- d-----w C:\Program Files\ZoomExpressKeyview
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-04 18:44 0 ----a-w C:\REGISTRY.DAT
2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-08-25 08:38 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-08-25 08:37 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-08-23 05:56 635,848 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-08-23 05:54 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
2008-03-27 18:01 56,912 ----a-w C:\Documents and Settings\Murray\g2mdlhlpx.exe
2004-07-07 22:11 36 ----a-w C:\Documents and Settings\Murray\klextlock.dat
1999-06-25 16:55 149,504 ----a-w C:\Program Files\UnComposer06.12.00.exe
1999-06-25 16:55 149,504 ----a-w C:\Program Files\UnComposer06.06.04.exe
1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.11.03.exe
1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.07.02.exe
1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.06.01.exe
1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.05.07.exe
1999-06-25 14:55 149,504 ----a-w C:\Program Files\UnComposer06.11.01.exe
2004-12-09 17:21 56 --sh--r C:\WINDOWS\SYSTEM32\E91688A5BD.sys
2004-12-09 17:38 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 569344]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-07-28 413696]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 C:\WINDOWS\LOGI_MWX.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DiamondView"="C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" [2007-03-02 946688]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-02-18 24576]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-04 450560]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-02 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2003-01-31 12:27 364544 C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray]
--a------ 2003-05-14 19:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:TINYPROXY
"53:TCP"= 53:TCP:TINYPROXY

R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 59520]
S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S2 avast! iAVS4 Control Service (aswUpdSv);avast! iAVS4 Control Service (aswUpdSv);C:\Program Files\ProtectService\ProtectService.exe [ ]
S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys [2004-05-01 31360]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-bascstray - BascsTray.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell.com
R0 -: HKLM-Main,Start Page = about:blank
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 16:56:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-02 16:58:19
ComboFix-quarantined-files.txt 2008-11-02 21:58:01

Pre-Run: 14,469,595,136 bytes free
Post-Run: 14,483,714,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

197 --- E O F --- 2008-10-16 06:13:17

11-02-2008, 04:47 PM	#5 (permalink)
CindyGrinz Registered User Join Date: Oct 2008 Posts: 5 OS: xp sp2	Re: explorer.exe not working I did everything you told me to do. You have no idea how very grateful I am for all your help. It seems to have worked. I have the desktop back including tool bar and icons. Thank you kindly Katana! Please find below all three logs you have asked me to post. Should I rescan hijack this and post a new log or should everything be fine now? ====================================================== Malwarebytes' Anti-Malware 1.30 Database version: 1354 Windows 5.1.2600 Service Pack 3 01/11/2008 7:26:34 PM mbam-log-2008-11-01 (19-26-34).txt Scan type: Full Scan (C:\\|) Objects scanned: 121330 Time elapsed: 35 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 4 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3912dde2-4295-4a5f-a8e4-a1b1c7ef7313} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\_unodbc.dll (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\TinyProxy (Trojan.Proxy) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\690974 (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\907465 (Trojan.BHO) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\846888 (Trojan.BHO) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\fmark2.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\_unodbc.dll (Trojan.Agent) -> Quarantined and deleted successfully. ======================================== SDFix: Version 1.238 Run by Administrator on 01/11/2008 at 07:44 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-01 20:42:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... C:\Documents and Settings\Murray\Local Settings\Temporary Internet Files\Content.IE5\6E24DJ5E\CAWG7E49CA4CWUH6CAB01MJXCAEA4FKHCAH18PFGCAD194MWCA2K8WIWCAL0TTQ5CAK38RR6CAMLMQ7DCAJ0N3K0CAUZ6EIYCAHSY1TDCAK48RNYCALWWQHECA2YK2LICAO2IG7GCAJB1ZTVCAQJI7QGCA41XTVM 0 bytes C:\Documents and Settings\Murray\Local Settings\Temporary Internet Files\Content.IE5\6E24DJ5E\wbk300.tmp 5827 bytes scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 2 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe::Disabled:Logitech Desktop Messenger" "C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe"="C:\\Program Files\\ACT\\ACT for Win 7\\Act7.exe::Enabled:ACT! 7.x/2005" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe::Disabled:Logitech Desktop Messenger" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:MSN Messenger 7.5" "C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe::Disabled:Windowsr NetMeetingr" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Synology Assistant\\DSAssistant.exe"="C:\\Program Files\\Synology Assistant\\DSAssistant.exe::Enabled:Synology Assistant" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe::Enabled:Internet Explorer" "C:\\Program Files\\tinyproxy\\tinyproxy1.exe"="C:\\Program Files\\tinyproxy\\tinyproxy1.exe::Enabled:TINYPROXY" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe::Enabled:Logitech Desktop Messenger" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe::Enabled:MSN Messenger 7.5" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe" Mon 15 Sep 2008 12,032 ..SHR --- "C:\Program Files\ProtectService\ProtectService.exe" Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Mon 18 Aug 2008 1,832,272 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe" Thu 9 Dec 2004 56 ..SHR --- "C:\WINDOWS\SYSTEM32\E91688A5BD.sys" Thu 9 Dec 2004 1,682 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys" Mon 27 Oct 2008 18,432 A..H. --- "C:\Documents and Settings\Murray\Application Data\EHEncrypt.dll" Mon 27 Oct 2008 19,968 A..H. --- "C:\Documents and Settings\Murray\Application Data\EHMD5.dll" Mon 27 Oct 2008 52,224 A..H. --- "C:\Documents and Settings\Murray\Application Data\EHZComp.dll" Mon 27 Oct 2008 33,280 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSEncryptPlugin1636.dll" Mon 27 Oct 2008 36,352 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSFolderitemsCreatePlugin1635.dll" Mon 27 Oct 2008 32,256 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSIconPlugin1635.dll" Mon 27 Oct 2008 28,672 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSMacOSXPlugin1635.dll" Mon 27 Oct 2008 41,984 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSMainPlugin1635.dll" Mon 27 Oct 2008 29,184 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSMemoryPlugin1635.dll" Mon 27 Oct 2008 53,760 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSPicturePlugin1635.dll" Mon 27 Oct 2008 37,376 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSPictureMacPlugin1635.dll" Mon 27 Oct 2008 25,088 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSPluginVersionPlugin1635.dll" Mon 27 Oct 2008 32,256 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSProcessPlugin1636.dll" Mon 27 Oct 2008 54,272 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSQTImporterPlugin1635.dll" Mon 27 Oct 2008 49,664 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSQuickTimePlugin1636.dll" Mon 27 Oct 2008 29,184 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSRectPlugin1635.dll" Mon 27 Oct 2008 26,112 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSRegistrationPlugin1636.dll" Mon 27 Oct 2008 36,352 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSRegistryPlugin1636.dll" Mon 27 Oct 2008 48,128 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSResPlugin1635.dll" Mon 27 Oct 2008 26,112 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSResStreamPlugin1635.dll" Mon 27 Oct 2008 26,624 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSUsernamePlugin1635.dll" Mon 27 Oct 2008 51,712 A..H. --- "C:\Documents and Settings\Murray\Application Data\MBSWinPlugin1635.dll" Mon 27 Oct 2008 64,512 A..H. --- "C:\Documents and Settings\Murray\Application Data\rbap450.dll" Mon 27 Oct 2008 75,776 A..H. --- "C:\Documents and Settings\Murray\Application Data\rbqt450.DLL" Mon 27 Oct 2008 41,472 A..H. --- "C:\Documents and Settings\Murray\Application Data\RBShell400.dll" Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe" Finished! ComboFix 08-11-02.03 - Administrator 2008-11-02 16:53:58.1 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.473 [GMT -5:00] Running from: C:\Documents and Settings\Administrator.MURRAY-LAPTOP\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Murray\Application Data\EHMD5.dll C:\Documents and Settings\Murray\Application Data\MBSEncryptPlugin1636.dll C:\Documents and Settings\Murray\Application Data\MBSFolderitemsCreatePlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSIconPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSMacOSXPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSMainPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSMemoryPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSPictureMacPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSPicturePlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSPluginVersionPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSProcessPlugin1636.dll C:\Documents and Settings\Murray\Application Data\MBSQTImporterPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSQuickTimePlugin1636.dll C:\Documents and Settings\Murray\Application Data\MBSRectPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSRegistrationPlugin1636.dll C:\Documents and Settings\Murray\Application Data\MBSRegistryPlugin1636.dll C:\Documents and Settings\Murray\Application Data\MBSResPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSResStreamPlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSUsernamePlugin1635.dll C:\Documents and Settings\Murray\Application Data\MBSWinPlugin1635.dll C:\Documents and Settings\Murray\Application Data\rbap450.dll C:\Documents and Settings\Murray\Application Data\rbqt450.DLL C:\Documents and Settings\Murray\Application Data\RBShell400.dll C:\Program Files\ProtectService C:\Program Files\ProtectService\ProtectService.exe C:\WINDOWS\Downloaded Program Files\Quarantine C:\WINDOWS\system32\cfx32.ocx C:\WINDOWS\system32\dao350.dll C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\winhelp.ini . ((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 ))))))))))))))))))))))))))))))) . 2008-11-01 18:42 . 2008-11-01 18:42 578,560 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll 2008-11-01 18:39 . 2008-11-01 18:40 <DIR> d-------- C:\WINDOWS\ERUNT 2008-11-01 17:31 . 2008-11-01 17:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-11-01 17:31 . 2008-11-01 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-11-01 17:31 . 2008-11-01 17:31 <DIR> d-------- C:\Documents and Settings\Administrator.MURRAY-LAPTOP\Application Data\Malwarebytes 2008-11-01 17:31 . 2008-10-22 15:10 38,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-11-01 17:31 . 2008-10-22 15:10 15,504 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-11-01 17:30 . 2008-11-01 19:48 <DIR> d-------- C:\SDFix 2008-10-31 19:27 . 2008-10-31 19:27 <DIR> d-------- C:\rsit 2008-10-31 19:27 . 2008-10-31 19:27 <DIR> d-------- C:\Program Files\trend micro 2008-10-31 19:26 . 2008-10-31 19:26 <DIR> d-------- C:\Documents and Settings\Administrator.MURRAY-LAPTOP 2008-10-31 09:14 . 2008-10-31 09:14 <DIR> d-------- C:\Documents and Settings\FixIt.MURRAY-LAPTOP 2008-10-29 10:05 . 2008-06-19 16:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys 2008-10-29 10:04 . 2008-10-29 10:04 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2008-10-29 10:04 . 2008-10-29 10:04 <DIR> d-------- C:\Program Files\Panda Security 2008-10-28 15:47 . 2008-10-28 15:49 <DIR> d---s---- C:\Documents and Settings\Administrator 2008-10-27 08:09 . 2008-10-27 08:09 52,224 --ah----- C:\Documents and Settings\Murray\Application Data\EHZComp.dll 2008-10-27 08:09 . 2008-10-27 08:09 18,432 --ah----- C:\Documents and Settings\Murray\Application Data\EHEncrypt.dll 2008-10-15 02:55 . 2008-09-08 05:41 333,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys 2008-10-15 02:53 . 2008-08-14 05:11 2,189,184 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe 2008-10-15 02:53 . 2008-08-14 05:09 2,145,280 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe 2008-10-15 02:53 . 2008-08-14 04:33 2,066,048 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe 2008-10-15 02:53 . 2008-08-14 04:33 2,023,936 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe 2008-10-15 02:53 . 2008-09-15 07:12 1,846,400 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-30 16:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-10-27 14:31 --------- d-----w C:\Program Files\ACT 2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll 2008-09-19 14:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-09-18 17:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-09-18 16:57 --------- d-----w C:\Program Files\Lavasoft 2008-09-18 16:57 --------- d-----w C:\Documents and Settings\Murray\Application Data\Lavasoft 2008-09-18 16:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-09-18 13:48 --------- d-----w C:\Program Files\TeaTimer (Spybot - Search & Destroy) 2008-09-15 16:39 --------- d-----w C:\Program Files\Yahoo! 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys 2008-09-11 18:13 --------- d-----w C:\Program Files\Zoom Player 2008-09-09 15:21 --------- d-----w C:\Program Files\ZoomExpressKeyview 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-09-04 18:44 0 ----a-w C:\REGISTRY.DAT 2008-08-27 08:24 3,593,216 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll 2008-08-25 08:38 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe 2008-08-25 08:37 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe 2008-08-23 05:56 635,848 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe 2008-08-23 05:54 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll 2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe 2008-08-14 10:04 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys 2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe 2008-03-27 18:01 56,912 ----a-w C:\Documents and Settings\Murray\g2mdlhlpx.exe 2004-07-07 22:11 36 ----a-w C:\Documents and Settings\Murray\klextlock.dat 1999-06-25 16:55 149,504 ----a-w C:\Program Files\UnComposer06.12.00.exe 1999-06-25 16:55 149,504 ----a-w C:\Program Files\UnComposer06.06.04.exe 1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.11.03.exe 1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.07.02.exe 1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.06.01.exe 1999-06-25 15:55 149,504 ----a-w C:\Program Files\UnComposer06.05.07.exe 1999-06-25 14:55 149,504 ----a-w C:\Program Files\UnComposer06.11.01.exe 2004-12-09 17:21 56 --sh--r C:\WINDOWS\SYSTEM32\E91688A5BD.sys 2004-12-09 17:38 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-17 110592] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-17 569344] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 114688] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-07-28 413696] "Logitech Utility"="Logi_MwX.Exe" [2002-11-08 C:\WINDOWS\LOGI_MWX.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 C:\WINDOWS\KHALMNPR.Exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DiamondView"="C:\Program Files\Manulife Financial\Diamond View\Diamondview.exe" [2007-03-02 946688] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-02-18 24576] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2005-02-04 450560] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-01-02 784912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i263_32.drv "vidc.3iv2"= 3ivxVfWCodec.dll "msacm.divxa32"= divxa32.acm "VIDC.HFYU"= huffyuv.dll "VIDC.i263"= i263_32.drv "msacm.imc"= imc32.acm "VIDC.VP31"= vp31vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet] --a------ 2003-01-31 12:27 364544 C:\Program Files\Dell\QuickSet\quickset.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bacstray] --a------ 2003-05-14 19:37 98304 C:\WINDOWS\SYSTEM32\BacsTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "wuauserv"=2 (0x2) "wscsvc"=2 (0x2) "SharedAccess"=2 (0x2) "mnmsrvc"=3 (0x3) "ERSvc"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\NetMeeting\\conf.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "80:TCP"= 80:TCP:TINYPROXY "53:TCP"= 53:TCP:TINYPROXY R0 rmedia;Ricoh MediaCard Driver;C:\WINDOWS\system32\DRIVERS\rmedia.sys [2002-12-24 59520] S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416] S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] S2 avast! iAVS4 Control Service (aswUpdSv);avast! iAVS4 Control Service (aswUpdSv);C:\Program Files\ProtectService\ProtectService.exe [ ] S3 ProtoWall;ProtoWall Network Service;C:\WINDOWS\system32\DRIVERS\ProtoWall.sys [2004-05-01 31360] S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856] Newly Created Service - PROCEXP90 . - - - - ORPHANS REMOVED - - - - HKLM-Run-bascstray - BascsTray.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.dell.com R0 -: HKLM-Main,Start Page = about:blank O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-02 16:56:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-02 16:58:19 ComboFix-quarantined-files.txt 2008-11-02 21:58:01 Pre-Run: 14,469,595,136 bytes free Post-Run: 14,483,714,048 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 197 --- E O F --- 2008-10-16 06:13:17