Tech Support Forum - View Single Post - System start-up change detected

Joody · 12-07-2008, 09:15 PM

Hi again

Ok, I think I have done it all correctly. My computer seems to be working MUCH better. I am no longer getting extra windows opening, I don't have the messages on boot anymore and the system start-up change messages seems to have stopped. The only thing is it seems to take a long time to boot. It looks like it has booted but the system is still doing something,,,the light is flashing and if I try to open Mozilla there is a really big lag.

Here are the reports.

ComboFix 08-12-05.02 - Compaq_Owner 2008-12-05 20:29:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.278 [GMT -8:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\evukafew.ini
c:\windows\system32\ezoteyiy.ini
c:\windows\system32\isofopig.ini
c:\windows\system32\ohunotep.ini
c:\windows\system32\uhefowij.ini
c:\windows\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\evukafew.ini
c:\windows\system32\ezoteyiy.ini
c:\windows\system32\isofopig.ini
c:\windows\system32\ohunotep.ini
c:\windows\system32\uhefowij.ini
c:\windows\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-04 19:23 . 2008-12-04 19:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-02 19:38 . 2008-12-02 19:38 250 --a------ c:\windows\gmer.ini
2008-12-01 19:25 . 2008-08-31 18:41 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:04 . 2008-11-27 17:04 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-11 19:29 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:28 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 02:57 --------- d-----w c:\program files\Microsoft AntiSpyware
2008-12-05 03:19 --------- d-----w c:\program files\iTunes
2008-12-03 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-03 00:53 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-11-06 01:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Printer Info Cache
2008-11-06 01:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-09 02:48 --------- d-----w c:\program files\BingoLiner
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2007-07-13 01:06 56,912 ----a-w c:\documents and settings\Compaq_Owner\g2mdlhlpx.exe
2005-03-22 03:16 10,240 -csha-w c:\windows\rnapxs\rnapxs.dat
2005-02-16 04:19 0 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_19.01.59.98 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSGTAG"="c:\program files\MSGTAG\MSGTAG.exe" [2003-09-16 1320448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-10 98304]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2005-10-25 122929]
"F-Secure TNB"="c:\program files\Shaw Secure\TNB\TNBUtil.exe" [2005-07-18 700416]
"F-Secure Startup Wizard"="c:\program files\Shaw Secure\FSGUI\FSSW.EXE" [2005-10-18 372736]
"News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-10 16423]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Shaw Secure.lnk - c:\program files\Shaw Secure\backweb\3875767\Program\fspex.exe [2006-03-21 32807]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yoe16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Conference\\Conference.dll"=
"c:\\Program Files\\Shaw Secure\\backweb\\3875767\\Program\\fspex.exe"=
"c:\\Program Files\\MSGTAG\\MSGTAG.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TalkShoe\\pjsua_win.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Shaw Secure\\Anti-Virus\\fsgk32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16966:TCP"= 16966:TCP:BitComet 16966 TCP
"16966:UDP"= 16966:UDP:BitComet 16966 UDP

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2005-03-21 70896]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 BackWeb Plug-in - 3875767;Shaw Secure;c:\progra~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE [2006-03-21 32807]
R2 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2005-03-21 48720]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSgk.sys [2005-03-21 55424]
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2005-03-21 16816]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\PPSCAN.sys [2005-06-08 91520]
S3 Yoe16;Yoe16;\??\c:\windows\System32\drivers\Yoe16.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2005-06-15 11:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mStart Page = hxxp://www.msn.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm
IE: &Block this popup - c:\program files\Shaw Secure\Anti-Spyware\blockpopups.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\orq4y9p9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 20:31:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Shaw Secure\FWES\Program\fsdc.dll

- - - - - - - > 'lsass.exe'(584)
c:\program files\Shaw Secure\FWES\Program\fsdc.dll

- - - - - - - > 'csrss.exe'(504)
c:\program files\Shaw Secure\FWES\Program\fsdc.dll
.
Completion time: 2008-12-05 20:33:25
ComboFix-quarantined-files.txt 2008-12-06 04:32:49
ComboFix2.txt 2008-12-06 03:02:47

Pre-Run: 64,213,872,640 bytes free
Post-Run: 64,196,653,056 bytes free

183 --- E O F --- 2008-11-12 05:40:28

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 7, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 07, 2008 21:23:18
Records in database: 1442867
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 66997
Threat name: 11
Infected objects: 20
Suspicious objects: 0
Duration of the scan: 01:50:42

File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-199fcf4d-4cee1517.zip.bac_a02436 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-199fcf4d-4cee1517.zip.bac_a02436 Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-410ebb16-1e43ebd7.zip.bac_a02436 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-410ebb16-1e43ebd7.zip.bac_a02436 Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\crtdcghcn.jar-2628f13a-18c48bf͕.bac_a02652 Infected: Trojan.Java.ClassLoader.ao 3
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\IBMH.dll.bac_a02652 Infected: not-a-virus:AdWare.Win32.InstantBuzz.a 1
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\IBSetup.exe.bac_a02652 Infected: not-a-virus:AdWare.Win32.InstantBuzz.a 1
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\IP6FW.0YS.bac_a02652 Infected: Trojan-Downloader.Win32.Diehard.dr 1
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\ms0311.jar-375c5d61-5e18f2bc.zip.bac_a02652 Infected: Trojan-Downloader.Java.OpenConnection.ak 2
C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\ms0311.jar-375c5d61-5e18f2bc.zip.bac_a02652 Infected: Trojan.Java.ClassLoader.aq 1
C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-785f012d.zip Infected: Exploit.Java.Gimsh.b 1
C:\Program Files\Mozilla Firefox\xh7399.exe Infected: Trojan.Win32.Agent.asii 1
C:\WINDOWS\system32\BEGAJETU.0LL Infected: Trojan.Win32.Monder.aamw 1
C:\WINDOWS\system32\BUTAZAJI.0LL Infected: Trojan-Spy.Win32.Agent.fdp 1
C:\WINDOWS\system32\JIWOFEHU.0LL Infected: Trojan.Win32.Monder.aamw 1

The selected area was scanned.

12-07-2008, 09:15 PM	#5 (permalink)
Joody Registered User Join Date: Feb 2005 Posts: 56 OS: Windows XP	Re: System start-up change detected Hi again Ok, I think I have done it all correctly. My computer seems to be working MUCH better. I am no longer getting extra windows opening, I don't have the messages on boot anymore and the system start-up change messages seems to have stopped. The only thing is it seems to take a long time to boot. It looks like it has booted but the system is still doing something,,,the light is flashing and if I try to open Mozilla there is a really big lag. Here are the reports. ComboFix 08-12-05.02 - Compaq_Owner 2008-12-05 20:29:07.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.278 [GMT -8:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\evukafew.ini c:\windows\system32\ezoteyiy.ini c:\windows\system32\isofopig.ini c:\windows\system32\ohunotep.ini c:\windows\system32\uhefowij.ini c:\windows\wininit.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\evukafew.ini c:\windows\system32\ezoteyiy.ini c:\windows\system32\isofopig.ini c:\windows\system32\ohunotep.ini c:\windows\system32\uhefowij.ini c:\windows\wininit.ini . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\program files\SUPERAntiSpyware 2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com 2008-12-04 19:24 . 2008-12-04 19:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2008-12-04 19:23 . 2008-12-04 19:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-02 19:38 . 2008-12-02 19:38 250 --a------ c:\windows\gmer.ini 2008-12-01 19:25 . 2008-08-31 18:41 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys 2008-11-27 17:04 . 2008-11-27 17:04 <DIR> d-------- c:\program files\Windows Media Connect 2 2008-11-11 19:29 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-11 19:28 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-06 02:57 --------- d-----w c:\program files\Microsoft AntiSpyware 2008-12-05 03:19 --------- d-----w c:\program files\iTunes 2008-12-03 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-03 00:53 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-06 13:50 --------- d-----w c:\documents and settings\All Users\Application Data\HP 2008-11-06 01:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Printer Info Cache 2008-11-06 01:21 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Image Zone Express 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-09 02:48 --------- d-----w c:\program files\BingoLiner 2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll 2007-07-13 01:06 56,912 ----a-w c:\documents and settings\Compaq_Owner\g2mdlhlpx.exe 2005-03-22 03:16 10,240 -csha-w c:\windows\rnapxs\rnapxs.dat 2005-02-16 04:19 0 -csha-w c:\windows\SMINST\HPCD.sys . ((((((((((((((((((((((((((((( snapshot@2008-12-05_19.01.59.98 ))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MSGTAG"="c:\program files\MSGTAG\MSGTAG.exe" [2003-09-16 1320448] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-10 180269] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-04-21 286720] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-07 27136] "PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648] "gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 473928] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-10 98304] "F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2005-10-25 122929] "F-Secure TNB"="c:\program files\Shaw Secure\TNB\TNBUtil.exe" [2005-07-18 700416] "F-Secure Startup Wizard"="c:\program files\Shaw Secure\FSGUI\FSSW.EXE" [2005-10-18 372736] "News Service"="c:\program files\Shaw Secure\FSGUI\ispnews.exe" [2005-05-31 356352] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-10 16423] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] Shaw Secure.lnk - c:\program files\Shaw Secure\backweb\3875767\Program\fspex.exe [2006-03-21 32807] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Yoe16.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"= "c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"= "c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\Program Files\\Conference\\Conference.dll"= "c:\\Program Files\\Shaw Secure\\backweb\\3875767\\Program\\fspex.exe"= "c:\\Program Files\\MSGTAG\\MSGTAG.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\TalkShoe\\pjsua_win.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Shaw Secure\\Anti-Virus\\fsgk32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "16966:TCP"= 16966:TCP:BitComet 16966 TCP "16966:UDP"= 16966:UDP:BitComet 16966 UDP R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2005-03-21 70896] R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024] R2 BackWeb Plug-in - 3875767;Shaw Secure;c:\progra~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE [2006-03-21 32807] R2 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2005-03-21 48720] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSgk.sys [2005-03-21 55424] R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2005-03-21 16816] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408] S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\PPSCAN.sys [2005-06-08 91520] S3 Yoe16;Yoe16;\??\c:\windows\System32\drivers\Yoe16.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-12-06 c:\windows\Tasks\Scheduled scanning task.job - c:\progra~1\SHAWSE~1\ANTI-V~1\fsav.exe [2005-06-15 11:56] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.ca/ uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop mStart Page = hxxp://www.msn.com mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = iexplore IE: &Add animation to IncrediMail Style Box - c:\progra~1\INCRED~1\bin\resources\WebMenuImg.htm IE: &Block this popup - c:\program files\Shaw Secure\Anti-Spyware\blockpopups.htm IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\orq4y9p9.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ca/ . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 20:31:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(528) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\program files\Shaw Secure\FWES\Program\fsdc.dll - - - - - - - > 'lsass.exe'(584) c:\program files\Shaw Secure\FWES\Program\fsdc.dll - - - - - - - > 'csrss.exe'(504) c:\program files\Shaw Secure\FWES\Program\fsdc.dll . Completion time: 2008-12-05 20:33:25 ComboFix-quarantined-files.txt 2008-12-06 04:32:49 ComboFix2.txt 2008-12-06 03:02:47 Pre-Run: 64,213,872,640 bytes free Post-Run: 64,196,653,056 bytes free 183 --- E O F --- 2008-11-12 05:40:28 -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Sunday, December 7, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Sunday, December 07, 2008 21:23:18 Records in database: 1442867 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics: Files scanned: 66997 Threat name: 11 Infected objects: 20 Suspicious objects: 0 Duration of the scan: 01:50:42 File name / Threat name / Threats count C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-199fcf4d-4cee1517.zip.bac_a02436 Infected: Exploit.Java.ByteVerify 2 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-199fcf4d-4cee1517.zip.bac_a02436 Infected: Trojan-Downloader.Java.OpenConnection.aa 1 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-410ebb16-1e43ebd7.zip.bac_a02436 Infected: Exploit.Java.ByteVerify 2 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\count.jar-410ebb16-1e43ebd7.zip.bac_a02436 Infected: Trojan-Downloader.Java.OpenConnection.aa 1 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\crtdcghcn.jar-2628f13a-18c48bf͕.bac_a02652 Infected: Trojan.Java.ClassLoader.ao 3 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\IBMH.dll.bac_a02652 Infected: not-a-virus:AdWare.Win32.InstantBuzz.a 1 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\IBSetup.exe.bac_a02652 Infected: not-a-virus:AdWare.Win32.InstantBuzz.a 1 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\IP6FW.0YS.bac_a02652 Infected: Trojan-Downloader.Win32.Diehard.dr 1 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\ms0311.jar-375c5d61-5e18f2bc.zip.bac_a02652 Infected: Trojan-Downloader.Java.OpenConnection.ak 2 C:\Documents and Settings\Compaq_Owner\.housecall6.6\Quarantine\ms0311.jar-375c5d61-5e18f2bc.zip.bac_a02652 Infected: Trojan.Java.ClassLoader.aq 1 C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-785f012d.zip Infected: Exploit.Java.Gimsh.b 1 C:\Program Files\Mozilla Firefox\xh7399.exe Infected: Trojan.Win32.Agent.asii 1 C:\WINDOWS\system32\BEGAJETU.0LL Infected: Trojan.Win32.Monder.aamw 1 C:\WINDOWS\system32\BUTAZAJI.0LL Infected: Trojan-Spy.Win32.Agent.fdp 1 C:\WINDOWS\system32\JIWOFEHU.0LL Infected: Trojan.Win32.Monder.aamw 1 The selected area was scanned.