Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

[SOLVED] svchost.exe error "A breakpoint has been reached"

This is a discussion on [SOLVED] svchost.exe error "A breakpoint has been reached" within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi all, A colleague went to a local blog and unfortunately picked up a bug (see screenshot for error msg).


 
 
Thread Tools Search this Thread
Old 12-12-2011, 04:46 PM   #1
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Hi all,

A colleague went to a local blog and unfortunately picked up a bug (see screenshot for error msg). He said "After running virus scan and cleaning the viruses, I was unable to restart and load my personal settings. I read that I should do a system restore to a previous point, which I did and still no luck."

Any ideas?

Here is DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Dustin at 18:27:18 on 2011-12-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1498 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080913
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\dustin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Logitech Vid] "c:\program files\logitech\vid\vid.exe" -bootmode
uRun: [Logitech Vid HD] "c:\program files\logitech\vid\vid.exe" -bootmode
uRun: [Starfield Updater] "c:\program files\workspace\WorkspaceUpdate.exe"
uRun: [wben] "c:\program files\workspace\wben.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDellB.exe" /mode2
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Dell WebCam Central B] c:\program files\dell webcam\dell webcam central\WebcamDellB.exe /mode2
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\dustin\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=GRfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 65.106.1.196 65.106.7.196
TCP: Interfaces\{93283B5C-3BCE-454C-97C3-D54453BC52ED} : DhcpNameServer = 192.168.0.1 65.106.1.196 65.106.7.196
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dustin\application data\mozilla\firefox\profiles\0qkssrzq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\dustin\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-13 244368]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 MpKsl178f9e10;MpKsl178f9e10;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d47d07f8-8253-4301-b081-509c505b7f58}\mpksl178f9e10.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d47d07f8-8253-4301-b081-509c505b7f58}\MpKsl178f9e10.sys [?]
S1 MpKsl48fa56eb;MpKsl48fa56eb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e330d0-5a44-41cf-a30e-af6c002f7bc6}\mpksl48fa56eb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e330d0-5a44-41cf-a30e-af6c002f7bc6}\MpKsl48fa56eb.sys [?]
S1 MpKsl7133b705;MpKsl7133b705;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{129a78df-7e00-4441-b95c-f52ed69e0736}\mpksl7133b705.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{129a78df-7e00-4441-b95c-f52ed69e0736}\MpKsl7133b705.sys [?]
S1 MpKsl895bd1db;MpKsl895bd1db;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f5b44996-5621-4601-af2d-13f20d1e8a09}\mpksl895bd1db.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f5b44996-5621-4601-af2d-13f20d1e8a09}\MpKsl895bd1db.sys [?]
S1 MpKslf8553329;MpKslf8553329;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a146f82-a909-4c01-8325-567f9c519131}\mpkslf8553329.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a146f82-a909-4c01-8325-567f9c519131}\MpKslf8553329.sys [?]
S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
S2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2011-2-2 1185008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-9-13 108160]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys --> c:\windows\system32\drivers\cvusbdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2008-9-13 148056]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-9-13 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-13 277504]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2011-12-12 22:21:22 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1f1275ff-5c16-4f4a-a549-a47857f203e9}\MpKsl751affbb.sys
2011-12-12 21:58:45 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1f1275ff-5c16-4f4a-a549-a47857f203e9}\offreg.dll
2011-12-12 21:58:37 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1f1275ff-5c16-4f4a-a549-a47857f203e9}\mpengine.dll
2011-12-12 21:57:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-12 21:57:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-12 21:56:44 -------- d-----w- c:\program files\iTunes
2011-12-12 21:56:44 -------- d-----w- c:\program files\iPod
2011-12-02 17:16:34 -------- d-----w- c:\program files\QuickTime(2)
2011-12-02 17:13:57 -------- d-----w- c:\program files\iPod(2)
2011-12-02 17:13:53 -------- d-----w- c:\program files\iTunes(2)
2011-12-02 17:09:49 -------- d-----w- c:\program files\Bonjour
2011-11-14 15:18:08 -------- d-----w- c:\documents and settings\dustin\local settings\application data\Solid State Networks
.
==================== Find3M ====================
.
2011-11-09 20:27:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 0750 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 18:27:26.62 ===============


Thank you,
Ed
Attached Images
 

__________________
esark33 is offline  
Old 12-15-2011, 10:03 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

It appears you didn't attach the second dds log, Attach.txt, to your initial post.

Go to Start > Run and copy/paste the following into the Run box and click OK:

%temp%\Attach.txt

A text file should open. Save it to your desktop then attach that file to your next reply.

------------------------------------------------------

I need to see a gmer log in order to help you.

Download GMER Rootkit Scanner from here and Save it to your Desktop.
  • Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
  • First, gmer will run a short, initial scan.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


------------------------------------------------------

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-15-2011, 02:01 PM   #3
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Hi chemist,

Thanks for your help. Just wanted to inform you an online scan from Eset in Safe Mode with Networking did the trick!

Best,
Ed
__________________
esark33 is offline  
Old 12-15-2011, 02:37 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Hi Ed, I would be flabberghasted if an online scan from ESET fixed all your problems. You have a particularly insidious and stubborn infection.

Would you mind running dds again and posting the first log in your next reply?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-16-2011, 12:22 PM   #5
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Hi chemist,

Ok here is the new DDS, and "attach" is attached. Thank you!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Dustin at 10:03:26 on 2011-12-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1622 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080913
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [Google Update] "c:\documents and settings\dustin\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Logitech Vid] "c:\program files\logitech\vid\vid.exe" -bootmode
uRun: [Logitech Vid HD] "c:\program files\logitech\vid\vid.exe" -bootmode
uRun: [Starfield Updater] "c:\program files\workspace\WorkspaceUpdate.exe"
uRun: [wben] "c:\program files\workspace\wben.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDellB.exe" /mode2
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Dell WebCam Central B] c:\program files\dell webcam\dell webcam central\WebcamDellB.exe /mode2
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\dustin\startm~1\programs\startup\zooskm~1.lnk - c:\program files\zooskmessenger\ZooskMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbar...tml?p=GRfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 65.106.1.196 65.106.7.196
TCP: Interfaces\{93283B5C-3BCE-454C-97C3-D54453BC52ED} : DhcpNameServer = 192.168.0.1 65.106.1.196 65.106.7.196
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dustin\application data\mozilla\firefox\profiles\0qkssrzq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\dustin\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\dustin\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2008-9-13 244368]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 MpKsl178f9e10;MpKsl178f9e10;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d47d07f8-8253-4301-b081-509c505b7f58}\mpksl178f9e10.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d47d07f8-8253-4301-b081-509c505b7f58}\MpKsl178f9e10.sys [?]
S1 MpKsl48fa56eb;MpKsl48fa56eb;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e330d0-5a44-41cf-a30e-af6c002f7bc6}\mpksl48fa56eb.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{15e330d0-5a44-41cf-a30e-af6c002f7bc6}\MpKsl48fa56eb.sys [?]
S1 MpKsl7133b705;MpKsl7133b705;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{129a78df-7e00-4441-b95c-f52ed69e0736}\mpksl7133b705.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{129a78df-7e00-4441-b95c-f52ed69e0736}\MpKsl7133b705.sys [?]
S1 MpKsl895bd1db;MpKsl895bd1db;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f5b44996-5621-4601-af2d-13f20d1e8a09}\mpksl895bd1db.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f5b44996-5621-4601-af2d-13f20d1e8a09}\MpKsl895bd1db.sys [?]
S1 MpKslf8553329;MpKslf8553329;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a146f82-a909-4c01-8325-567f9c519131}\mpkslf8553329.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a146f82-a909-4c01-8325-567f9c519131}\MpKslf8553329.sys [?]
S2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
S2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2011-2-2 1185008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-9-13 108160]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [2007-4-19 42832]
S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys --> c:\windows\system32\drivers\cvusbdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-13 50704]
S3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2008-9-13 148056]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-9-13 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-13 277504]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2011-12-16 14:52:31 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f578c302-f4ab-4a8f-a037-3706fc13a204}\MpKslc5f236bf.sys
2011-12-16 14:52:28 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f578c302-f4ab-4a8f-a037-3706fc13a204}\offreg.dll
2011-12-16 09:32:47 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f578c302-f4ab-4a8f-a037-3706fc13a204}\mpengine.dll
2011-12-13 14:42:50 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-13 14:42:50 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-13 14:42:50 100880 ----a-w- c:\windows\system32\Packet.dll
2011-12-12 21:57:18 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-12 21:57:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-12 21:56:44 -------- d-----w- c:\program files\iTunes
2011-12-12 21:56:44 -------- d-----w- c:\program files\iPod
2011-12-02 17:16:34 -------- d-----w- c:\program files\QuickTime(2)
2011-12-02 17:13:57 -------- d-----w- c:\program files\iPod(2)
2011-12-02 17:13:53 -------- d-----w- c:\program files\iTunes(2)
2011-12-02 17:09:49 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-09 20:27:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43:21 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43:21 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43:20 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 0750 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 10:04:21.37 ===============
Attached Files
File Type: txt attach.txt (25.5 KB, 4 views)
__________________
esark33 is offline  
Old 12-16-2011, 12:27 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Hello again, Ed. You're still infected. Please stay with me until I give the all clear.

I still need to see the gmer log, as per post#2 above.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-16-2011, 01:18 PM   #7
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Ok here you go.
Attached Files
File Type: txt Gmer.txt (240.7 KB, 4 views)
__________________
esark33 is offline  
Old 12-16-2011, 01:24 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Hello again, Ed.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download: Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install - Microsoft Download Center - Download Details

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-16-2011, 02:52 PM   #9
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Ok here you go:


ComboFix 11-12-16.03 - Dustin 12/16/2011 16:17:15.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2036.1510 [GMT -5:00]
Running from: c:\documents and settings\Dustin\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Dustin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Symantec Endpoint Protection *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Dustin\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\documents and settings\Dustin\g2mdlhlpx.exe
c:\documents and settings\Dustin\WINDOWS
c:\windows\$NtUninstallKB21944$
c:\windows\$NtUninstallKB21944$\372183404
c:\windows\$NtUninstallKB43591$
c:\windows\$NtUninstallKB43591$\201369159\@
c:\windows\$NtUninstallKB43591$\201369159\bckfg.tmp
c:\windows\$NtUninstallKB43591$\201369159\cfg.ini
c:\windows\$NtUninstallKB43591$\201369159\Desktop.ini
c:\windows\$NtUninstallKB43591$\201369159\keywords
c:\windows\$NtUninstallKB43591$\201369159\kwrd.dll
c:\windows\$NtUninstallKB43591$\201369159\L\rohepcid
c:\windows\$NtUninstallKB43591$\201369159\lsflt7.ver
c:\windows\$NtUninstallKB43591$\201369159\U\00000001.@
c:\windows\$NtUninstallKB43591$\201369159\U\00000002.@
c:\windows\$NtUninstallKB43591$\201369159\U\00000004.@
c:\windows\$NtUninstallKB43591$\201369159\U\80000000.@
c:\windows\$NtUninstallKB43591$\201369159\U\80000004.@
c:\windows\$NtUninstallKB43591$\201369159\U\80000032.@
c:\windows\$NtUninstallKB43591$\2615731974
c:\windows\CSC\d6
c:\windows\EventSystem.log
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-16 21:35 . 2011-12-16 21:35 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F578C302-F4AB-4A8F-A037-3706FC13A204}\offreg.dll
2011-12-16 14:52 . 2011-12-16 14:52 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F578C302-F4AB-4A8F-A037-3706FC13A204}\MpKslc5f236bf.sys
2011-12-16 09:32 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F578C302-F4AB-4A8F-A037-3706FC13A204}\mpengine.dll
2011-12-12 21:57 . 2011-12-12 21:57 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-12 21:56 . 2011-12-12 21:56 -------- d-----w- c:\program files\iTunes
2011-12-12 21:56 . 2011-12-12 21:56 -------- d-----w- c:\program files\iPod
2011-12-12 21:56 . 2011-12-12 21:56 -------- d-----w- c:\program files\QuickTime
2011-12-02 17:09 . 2011-12-12 21:56 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2008-04-25 16:16 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-07-23 07:33 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-09 20:27 . 2011-11-09 20:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-01 16:07 . 2008-04-25 16:16 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2008-04-25 16:16 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2008-04-25 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43 . 2008-04-25 16:16 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2008-04-25 16:16 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:31 . 2008-04-25 16:16 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-25 16:16 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2008-04-25 16:16 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2007-10-09 18:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"Logitech Vid"="c:\program files\Logitech\Vid\vid.exe" [2010-05-11 6061400]
"Logitech Vid HD"="c:\program files\Logitech\Vid\vid.exe" [2010-05-11 6061400]
"Starfield Updater"="c:\program files\Workspace\WorkspaceUpdate.exe" [2011-09-01 34496]
"wben"="c:\program files\Workspace\wben.exe" [2011-11-22 368368]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 19550344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-07-01 196608]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-30 442467]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-07 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe" [2008-04-11 372736]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-07 13537280]
"nwiz"="nwiz.exe" [2008-08-07 1630208]
"NVHotkey"="nvHotkey.dll" [2008-08-07 90112]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Dell WebCam Central B"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe" [2008-04-11 372736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2010-05-07 165208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\Dustin\Start Menu\Programs\Startup\
ZooskMessenger.lnk - c:\program files\ZooskMessenger\ZooskMessenger.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Dustin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Dustin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Vid\\Vid.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
R2 File Backup;File Backup Service;c:\program files\Workspace\offSyncService.exe [2/2/2011 10:12 AM 1185008]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/13/2008 7:17 AM 108160]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [9/13/2008 7:17 AM 244368]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [9/13/2008 7:17 AM 148056]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [9/13/2008 7:17 AM 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [9/13/2008 7:17 AM 277504]
S1 MpKsl178f9e10;MpKsl178f9e10;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D47D07F8-8253-4301-B081-509C505B7F58}\MpKsl178f9e10.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D47D07F8-8253-4301-B081-509C505B7F58}\MpKsl178f9e10.sys [?]
S1 MpKsl48fa56eb;MpKsl48fa56eb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{15E330D0-5A44-41CF-A30E-AF6C002F7BC6}\MpKsl48fa56eb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{15E330D0-5A44-41CF-A30E-AF6C002F7BC6}\MpKsl48fa56eb.sys [?]
S1 MpKsl7133b705;MpKsl7133b705;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{129A78DF-7E00-4441-B95C-F52ED69E0736}\MpKsl7133b705.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{129A78DF-7E00-4441-B95C-F52ED69E0736}\MpKsl7133b705.sys [?]
S1 MpKsl895bd1db;MpKsl895bd1db;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5B44996-5621-4601-AF2D-13F20D1E8A09}\MpKsl895bd1db.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F5B44996-5621-4601-AF2D-13F20D1E8A09}\MpKsl895bd1db.sys [?]
S1 MpKslf8553329;MpKslf8553329;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A146F82-A909-4C01-8325-567F9C519131}\MpKslf8553329.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2A146F82-A909-4C01-8325-567F9C519131}\MpKslf8553329.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:09 PM 135664]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]
S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\Drivers\cvusbdrv.sys --> c:\windows\system32\Drivers\cvusbdrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:09 PM 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 19:09]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 19:09]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-892786887-1845275665-2905373060-1005Core.job
- c:\documents and settings\Dustin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 16:44]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-892786887-1845275665-2905373060-1005UA.job
- c:\documents and settings\Dustin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-19 16:44]
.
2011-12-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.0.1 65.106.1.196 65.106.7.196
FF - ProfilePath - c:\documents and settings\Dustin\Application Data\Mozilla\Firefox\Profiles\0qkssrzq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Skype Click to Call: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ChangeTPMAuth - c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-12-16 16:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1132)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(5080)
c:\windows\system32\WININET.dll
c:\windows\system32\logishrd\LVPrcInj01.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\drivers\audio\r190031\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\rundll32.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-16 16:42:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 21:42
ComboFix2.txt 2009-01-29 17:04
ComboFix3.txt 2009-01-29 16:21
.
Pre-Run: 52,734,173,184 bytes free
Post-Run: 53,636,362,240 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 80AD455D21BEC3FFA69ECB3111C60013
__________________
esark33 is offline  
Old 12-16-2011, 03:31 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Hello again, Ed. Please tell us how your system is behaving.

------------------------------------------------------

Please uninstall the following via the Add or Remove Programs section of your Control Panel if they still exist:

LiveUpdate 3.3 (Symantec Corporation)

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard] 
"ShellNext"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete MpKsl178f9e10

A DOS window will open and close again, this is normal.

Repeat for the following:

sc delete MpKsl48fa56eb

sc delete MpKsl7133b705

sc delete MpKsl895bd1db

sc delete MpKslf8553329

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs):

Java(TM) 6 Update 5

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

In fact, you should be able to update your current Java, Java(TM) 6 Update 26, by going to Control Panel (Classic View) and double-clicking on the Java icon (looks like a coffee cup). Click on the Update tab. On the lower right, click on Update Now. An update should begin. Allow the install of the new Java.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-16-2011, 03:46 PM   #11
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Hi chemist, first off - thank you immensely for your help, it is appreciated.

The user has gone home for the day so we shall continue this Monday.

Cheers and have a good w/e,
Ed
__________________
esark33 is offline  
Old 12-16-2011, 03:57 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



You're very welcome, Ed! Not a problem. You have a good weekend also.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-19-2011, 12:36 PM   #13
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Hi chemist,

System is behaving normally. Here are the logs as promised:


Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8397

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/19/2011 10:56:49 AM
mbam-log-2011-12-19 (10-56-49).txt

Scan type: Quick scan
Objects scanned: 216840
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------------


ESETSmartInstaller@High as downloader log:
Can not read file from internet.ESETSmartInstaller@High as downloader log:
Can not read file from internet.# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ac51c6059952b84bab3fe128c6c0a19b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-12-19 06:20:22
# local_time=2011-12-19 01:20:22 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 87 0 20242812 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=126393
# found=4
# cleaned=0
# scan_time=7280
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-20032b23 Java/Exploit.CVE-2011-3544.F trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\539bac06-47f799f3 Java/Agent.DY trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP606\A0093731.exe a variant of Win32/MessengerPlus application (unable to clean) 00000000000000000000000000000000 I
Y:\IT Sales\Desktop 8262011\DavidPhoebe\International\FILE ASAP!\MyFunCardsSetup2.3.50.42.ZUfox000.exe a variant of Win32/Toolbar.MyWebSearch.O application (unable to clean) 00000000000000000000000000000000 I

Thanks,
Ed
__________________
esark33 is offline  
Old 12-19-2011, 02:08 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Hello again, Ed. System Volume Information is where Windows keeps old system restore points. It will get deleted when we uninstall ComboFix.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\13\16431a4d-20032b23"
"C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\6\539bac06-47f799f3"
"Y:\IT Sales\Desktop 8262011\DavidPhoebe\International\FILE ASAP!\MyFunCardsSetup2.3.50.42.ZUfox000.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-19-2011, 02:54 PM   #15
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Ok here's what came up:

Y:\IT Sales\Desktop 8262011\DavidPhoebe\International\FILE ASAP!\MyFunCardsSetup2.3.50.42.ZUfox000.exe
__________________
esark33 is offline  
Old 12-19-2011, 05:08 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



You'll have to delete this file manually:

Y:\IT Sales\Desktop 8262011\DavidPhoebe\International\FILE ASAP!\MyFunCardsSetup2.3.50.42.ZUfox000.exe

Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-19-2011, 05:52 PM   #17
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Hmm it's not letting me delete it; access is denied. I can't imagine it being currently in use. Is there another way I can rip it out?
__________________
esark33 is offline  
Old 12-19-2011, 05:56 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



See if you can delete it in Safe Mode:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode and press 'Enter'.
  • Login on your usual account.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
Old 12-19-2011, 06:04 PM   #19
Registered Member
 
Join Date: Apr 2010
Posts: 98
OS: Win 7 64bit



Ok got it; gone. Anything else?
__________________
esark33 is offline  
Old 12-19-2011, 06:07 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 26,490
OS: XP SP3; Win7 32/64-bit



Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable Security Essentials before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
svchost.exe 99 CPU
I'm using my parents' computer since mine is being repaired, and I've noticed it will often freeze or run slow. My mom said it's just started recently within the last month or so but has now gotten worse. It hangs when we go to connect to the internet, so I checked out the processes and saw that...
LauraE112 Resolved HJT Threads 9 08-18-2011 04:51 AM
svchost.exe is using 100% CPU
Hi everyone, Heres my problem #1: One of the svchost.exe process in my computer is taking care of 20+ programs. The direct result of this is that this particular svchost.exe process is eating almost 100% of the CPU on a constant basis. When I do reboot my PC, the svchost.exe process starts at...
dartagon Inactive Malware Help Topics 46 07-04-2011 06:59 AM
BSOD XPSP3 on HP Laptop
================================================== Dump File : Mini052411-01.dmp Crash Time : 5/24/2011 06:43:43 AM Bug Check String : CRITICAL_OBJECT_TERMINATION Bug Check Code : 0x000000f4 Parameter 1 : 0x00000003 Parameter 2 : 0x88738938 Parameter 3 : 0x88738aac Parameter 4 : 0x805d29b4...
mkrao Windows XP Support 2 06-08-2011 01:07 AM
svchost.exe and other issues.
Recently my computer got attacked by hundreds of different spyware type software including rogue agents, trojan agents, ect. It also had some malware on it. I have run, in safe mode, the following programs: Malware bytes Anti-Malware Spybot Search and Destroy SUPERantispyware Comodo system...
Lapse Resolved HJT Threads 16 02-03-2011 09:30 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 12:08 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts