Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

[SOLVED] svchost.exe using large amounts of memory

This is a discussion on [SOLVED] svchost.exe using large amounts of memory within the Resolved HJT Threads forums, part of the Tech Support Forum category. Every time I boot up my computer the process svchost.exe starts using larger than normal amounts of memory, to the


 
 
Thread Tools Search this Thread
Old 01-10-2012, 08:12 PM   #1
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Every time I boot up my computer the process svchost.exe starts using larger than normal amounts of memory, to the point that the computer is slowed down to being nearly unusable. I can stop the process to temporarily fix the problem but it always creeps back up.

I dug around in the past few days of activity for my antiviral and noticed an alert from a few days ago I had missed. Norton noticed an odd temp file called winupd.exe. I'm not sure if the issue I'm having is related since it seemed Norton removed this days before I started having problems. Since this is the only notice I've had from my antiviral recently, I figured I should mention it at least.


Any help is appreciated. Thank you c:

--------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Michelle Mindicino at 21:49:24 on 2012-01-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1085 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Razer\Imperator\RazerImperatorTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaRegistry.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Michelle Mindicino\Desktop\procexp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\19.2.0.10\ips\IPSBHO.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [Akamai NetSession Interface] "c:\documents and settings\michelle mindicino\local settings\application data\akamai\netsession_win.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Razer Imperator Driver] c:\program files\razer\imperator\RazerImperatorTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runreg~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\smartw~1.lnk - c:\program files\netgear\wg121 configuration utility\wlancfg8.exe
dPolicies-explorer: HideClock = 0 (0x0)
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {12F7F128-B36C-4843-8AA4-A5F71A969331} - hxxps://horizons.istaria.com/controls/launcher.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{49CC5133-E844-41FA-925F-CF660984F7D0} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{60847944-7F72-4540-8FA3-171375679A6E} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{F139C8E5-8B38-4546-902F-A98B899D745F} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\michelle mindicino\application data\mozilla\firefox\profiles\aqiw85t8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weightwatchers.com/plan/index.aspx
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\michelle mindicino\application data\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\documents and settings\michelle mindicino\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1302000.00a\symds.sys [2011-12-13 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1302000.00a\symefa.sys [2011-12-13 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\bashdefs\20111223.001\BHDrvx86.sys [2011-11-30 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\nav\1302000.00a\ccsetx86.sys [2011-12-13 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1302000.00a\ironx86.sys [2011-12-13 149624]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\19.2.0.10\ccsvchst.exe [2011-12-13 138760]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-12-6 2214504]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RaRegistry.exe [2010-9-2 185632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-13 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\ipsdefs\20120107.001\IDSXpx86.sys [2012-1-9 356280]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\virusdefs\20120110.002\NAVENG.SYS [2012-1-10 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_19.1.1.3\definitions\virusdefs\20120110.002\NAVEX15.SYS [2012-1-10 1576312]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2010-11-16 100712]
R3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\drivers\procexp151.sys --> c:\windows\system32\drivers\PROCEXP151.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-8-6 24416]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [2007-12-31 335296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-09 20:21:06 -------- d-----w- C:\ebec34113cd2ac67c5fc25cc
2011-12-30 11:14:59 21976 ----a-w- c:\program files\mozilla firefox\plc4.dll
2011-12-30 11:14:59 20440 ----a-w- c:\program files\mozilla firefox\plds4.dll
2011-12-30 11:14:59 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-12-30 11:14:58 715216 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2011-12-30 11:14:58 269272 ----a-w- c:\program files\mozilla firefox\updater.exe
2011-12-30 11:14:58 19928 ----a-w- c:\program files\mozilla firefox\xpcom.dll
2011-12-30 11:14:58 170968 ----a-w- c:\program files\mozilla firefox\softokn3.dll
2011-12-30 11:14:58 154584 ----a-w- c:\program files\mozilla firefox\ssl3.dll
2011-12-30 11:14:58 105432 ----a-w- c:\program files\mozilla firefox\smime3.dll
2011-12-30 11:14:53 16096216 ----a-w- c:\program files\mozilla firefox\xul.dll
2011-12-13 18:05:08 897656 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symefa.sys
2011-12-13 18:05:08 566904 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\srtsp.sys
2011-12-13 18:05:08 387192 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symtdi.sys
2011-12-13 18:05:08 344184 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symtdiv.sys
2011-12-13 18:05:08 340088 ----a-r- c:\windows\system32\drivers\nav\1302000.00a\symds.sys
2011-12-13 18:05:08 31864 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\srtspx.sys
2011-12-13 18:05:08 314488 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\symnets.sys
2011-12-13 18:05:08 149624 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\ironx86.sys
2011-12-13 18:05:08 132744 ----a-w- c:\windows\system32\drivers\nav\1302000.00a\ccsetx86.sys
2011-12-13 18:05:02 -------- d-----w- c:\windows\system32\drivers\nav\1302000.00A
2011-12-13 17:59:52 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-13 17:59:52 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-13 17:59:52 -------- d-----w- c:\program files\Symantec
2011-12-13 17:59:26 -------- d-----w- c:\windows\system32\drivers\NAV
2011-12-13 17:59:24 -------- d-----w- c:\program files\Norton AntiVirus
2011-12-13 17:58:49 -------- d-----w- c:\program files\NortonInstaller
2011-12-13 17:39:51 -------- d-s---w- C:\ComboFix-111211
2011-12-13 15:15:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-12-11 1421 94896 ----a-w- c:\windows\system32\drivers\69467523.sys
2011-12-06 14:15:54 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-12-06 14:15:54 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-12-06 14:14:54 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-12-06 13:41:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 16:52:28 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 21:51:27.20 ===============
Attached Files
File Type: zip ark&attach.zip (5.5 KB, 10 views)

__________________
Alera is offline  
Old 01-15-2012, 01:58 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Hello and welcome to TSF.

Sorry for the delayed response.

Please note that more than one round may be needed to properly eradicate malware. In co-operation with the cleaning process, please:
  • do not uninstall/install any programs unless asked to do so, to make it easier on us as it is more difficult when files/programs are appearing in/disappearing from the logs;
  • do not run any tools or scans other than those requested;
  • follow all instructions in the order they are presented;
  • if you have problems with or do not understand the instructions, ask before continuing;
  • stay with this thread until given the All Clear, as absence of symptoms does not always mean the machine is clean;
  • do not attach any logs/reports, etc.. unless specifically requested to do so.
  • All logs/reports, etc.. must be posted in Notepad making sure the word wrap is unchecked. (In notepad click format, uncheck word wrap if it is checked.)
Also note that the forum is very busy and if we don't hear from you within three days this thread will be closed.

==================

Please download ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications. It's important that you do not skip this step. If you don't know how, please look in here:

    How to disable your security applications

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that.

__________________

amateur is offline  
Old 01-15-2012, 09:12 AM   #3
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Thanks for your help c:
I ran combo fix and have the text log below.
Computer is still showing the same symptoms but svchost.exe does seem to now run normally once I stop it once, rather than continually running out of control, so an improvement at least.
----------------------------------------------------------------------
ComboFix 12-01-15.01 - Michelle Mindicino 01/15/2012 11:28:39.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1010 [GMT -5:00]
Running from: c:\documents and settings\Michelle Mindicino\My Documents\Aywas\Computer Aid\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-14 13:35 . 2012-01-14 13:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2012-01-14 01:52 . 2012-01-14 02:18 -------- d-----w- c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\NPE
2012-01-12 22:22 . 2012-01-12 22:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-01-09 20:21 . 2012-01-09 20:21 -------- d-----w- C:\ebec34113cd2ac67c5fc25cc
2011-12-30 11:14 . 2011-12-30 11:14 21976 ----a-w- c:\program files\Mozilla Firefox\plc4.dll
2011-12-30 11:14 . 2011-12-30 11:14 20440 ----a-w- c:\program files\Mozilla Firefox\plds4.dll
2011-12-30 11:14 . 2011-12-30 11:14 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-12-30 11:14 . 2011-12-30 11:14 715216 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-12-30 11:14 . 2011-12-30 11:14 269272 ----a-w- c:\program files\Mozilla Firefox\updater.exe
2011-12-30 11:14 . 2011-12-30 11:14 19928 ----a-w- c:\program files\Mozilla Firefox\xpcom.dll
2011-12-30 11:14 . 2011-12-30 11:14 170968 ----a-w- c:\program files\Mozilla Firefox\softokn3.dll
2011-12-30 11:14 . 2011-12-30 11:14 154584 ----a-w- c:\program files\Mozilla Firefox\ssl3.dll
2011-12-30 11:14 . 2011-12-30 11:14 105432 ----a-w- c:\program files\Mozilla Firefox\smime3.dll
2011-12-30 11:14 . 2011-12-30 11:14 16096216 ----a-w- c:\program files\Mozilla Firefox\xul.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 13:19 . 2008-07-22 12:21 6774 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-12-13 17:59 . 2011-12-13 17:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-13 17:59 . 2011-12-13 17:59 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-11 14:06 . 2011-12-11 14:06 94896 ----a-w- c:\windows\system32\drivers\69467523.sys
2011-12-06 13:41 . 2011-12-06 13:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 16:52 . 2004-08-10 16:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-23 13:25 . 2004-08-10 16:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-10 16:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 16:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 16:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 02:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-10 16:51 186880 ----a-w- c:\windows\system32\encdec.dll
2011-12-30 11:15 . 2011-12-30 11:15 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-07-27 20:50 . 2004-07-27 20:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
.
2004-07-27 20:50 . 2004-07-27 20:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
.
2005-10-05 07:12 . 2005-10-05 07:12 94208 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
.
2007-03-15 16:09 . 2007-03-15 16:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe
.
2006-02-19 06:41 . 2006-02-19 06:41 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
.
2007-07-19 14:33 . 2006-07-06 11:15 151552 c:\program files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe
.
2006-02-23 19:45 . 2006-02-23 19:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2011-04-14 15:32 . 2011-04-14 15:32 421160 c:\program files\iTunes\iTunesHelper.exe
.
2004-08-10 17:01 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-08-28 12:38 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe
.
2007-10-04 12:33 . 2007-10-04 12:33 155648 c:\program files\QuickTime\bak\qttask.exe
2010-11-29 21:38 . 2010-11-29 21:38 421888 c:\program files\QuickTime\QTTask.exe
.
2004-08-10 16:51 . 2004-08-04 09:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-10 16:51 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2007-07-19 14:39 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\bak\DLACTRLW.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2010-01-24 1845248]
"Akamai NetSession Interface"="c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\Akamai\netsession_win.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"Razer Imperator Driver"="c:\program files\Razer\Imperator\RazerImperatorTray.exe" [2010-09-07 2787224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-4 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-19 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-17 528384]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2010-10-29 614400]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2011-4-14 1175552]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-31 274432]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
[N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NETGEAR\\WG121 Configuration Utility\\wlancfg8.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"1056:TCP"= 1056:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1302000.00A\symds.sys [12/13/2011 1:05 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1302000.00A\symefa.sys [12/13/2011 1:05 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 9:25 PM 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1302000.00A\ccsetx86.sys [12/13/2011 1:05 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1302000.00A\ironx86.sys [12/13/2011 1:05 PM 149624]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [12/13/2011 1:05 PM 138760]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/6/2011 9:15 AM 2214504]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/13/2011 1:05 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120113.002\IDSXpx86.sys [1/13/2012 7:04 PM 356280]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/16/2010 11:42 AM 100712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [8/6/2009 8:22 AM 24416]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [12/31/2007 11:20 AM 335296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:51 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Michelle Mindicino\Application Data\Mozilla\Firefox\Profiles\aqiw85t8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weightwatchers.com/plan/index.aspx
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-15 11:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:46,e0,70,db,ff,98,b8,fd,e6,d0,87,e5,2f,3a,6f,fb,6d,30,13,1b,fd,a2,cf,
88,17,91,b1,d2,34,f4,5a,32,97,b2,5a,63,f2,06,59,9b,d2,a0,61,92,bd,0a,d6,cc,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\License information*]
"datasecu"=hex:e5,a2,0f,9d,a1,6f,53,fa,a5,f0,17,6d,81,4c,6a,4a,75,c9,20,56,e7,
52,3d,7f,0c,5f,7f,0d,57,ee,17,02,7c,af,90,2c,f6,47,c6,bf,f5,5e,1f,0c,bb,29,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\COMRes.dll
.
Completion time: 2012-01-15 11:44:45
ComboFix-quarantined-files.txt 2012-01-15 16:44
.
Pre-Run: 73,469,706,240 bytes free
Post-Run: 74,231,734,272 bytes free
.
- - End Of File - - BD83C0951B92BE5BD10553E5A9E31F39
__________________
Alera is offline  
Old 01-15-2012, 09:34 AM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Hi,
  • Download TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, ensure Cure is selected (it should be by default) NOTE: If Cure is not an option, please select Skip.
  • Click Continue then click Reboot now.
  • Once complete, a log will be produced at the root drive which is typically C:\
    For example, C:\TDSSKiller.2.5.3.0_date_time_log.txt
  • Attach that log, please.
__________________

amateur is offline  
Old 01-15-2012, 09:56 AM   #5
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Done, here is the log.
Attached Files
File Type: txt TDSSKiller.2.7.1.0_15.01.2012_12.53.12_log.txt (76.2 KB, 8 views)
__________________
Alera is offline  
Old 01-15-2012, 10:04 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Please post a fresh GMER log.
__________________

amateur is offline  
Old 01-15-2012, 06:31 PM   #7
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Here it is.
Since my last reboot the computer now seems to be running normally. Does it look like the virus is completely gone now?
Attached Files
File Type: txt ark.txt (8.0 KB, 7 views)
__________________
Alera is offline  
Old 01-15-2012, 10:22 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Hi,

Glad to hear that it seems to be running better now, but we are not done yet.

Please disable your security tools as before and run Combofix with the following script.

If Combofix asks for an update, please allow it.

===========================
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Code:

DDS::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"=-
"6112:TCP"=-
"5985:TCP"=-
"1056:TCP"=-
"5000:UDP"=-

Firefox::
FF - ProfilePath - c:\documents and settings\Michelle Mindicino\Application Data\Mozilla\Firefox\Profiles\aqiw85t8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 4

AWF::
c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe
c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
c:\program files\Dell\Media Experience\bak\DMXLauncher.exe
c:\program files\DellSupport\bak\DSAgnt.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
c:\program files\Intel\Intel Matrix Storage Manager\bak\Iaanotif.exe
c:\windows\system32\DLA\bak\DLACTRLW.EXE
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Messenger\bak\msmsgs.exe
c:\program files\Messenger\bak\msmsgs.exe
c:\windows\system32\bak\ctfmon.exe

ADS::
C:\Documents and Settings\Michelle Mindicino\Local Settings\temp

ClearJavaCache::
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.
__________________

amateur is offline  
Old 01-16-2012, 06:00 AM   #9
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Done, here is the log ^_^
-------------------------------------
ComboFix 12-01-15.01 - Michelle Mindicino 01/16/2012 8:10.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1353 [GMT -5:00]
Running from: c:\documents and settings\Michelle Mindicino\My Documents\Aywas\Computer Aid\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Mindicino\Desktop\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
ADS - temp: deleted 238080 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-14 13:35 . 2012-01-14 13:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2012-01-14 01:52 . 2012-01-14 02:18 -------- d-----w- c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\NPE
2012-01-12 22:22 . 2012-01-12 22:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-01-09 20:21 . 2012-01-09 20:21 -------- d-----w- C:\ebec34113cd2ac67c5fc25cc
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-30 11:14 . 2011-12-30 11:14 21976 ----a-w- c:\program files\Mozilla Firefox\plc4.dll
2011-12-30 11:14 . 2011-12-30 11:14 20440 ----a-w- c:\program files\Mozilla Firefox\plds4.dll
2011-12-30 11:14 . 2011-12-30 11:14 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-12-30 11:14 . 2011-12-30 11:14 715216 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-12-30 11:14 . 2011-12-30 11:14 269272 ----a-w- c:\program files\Mozilla Firefox\updater.exe
2011-12-30 11:14 . 2011-12-30 11:14 19928 ----a-w- c:\program files\Mozilla Firefox\xpcom.dll
2011-12-30 11:14 . 2011-12-30 11:14 170968 ----a-w- c:\program files\Mozilla Firefox\softokn3.dll
2011-12-30 11:14 . 2011-12-30 11:14 154584 ----a-w- c:\program files\Mozilla Firefox\ssl3.dll
2011-12-30 11:14 . 2011-12-30 11:14 105432 ----a-w- c:\program files\Mozilla Firefox\smime3.dll
2011-12-30 11:14 . 2011-12-30 11:14 16096216 ----a-w- c:\program files\Mozilla Firefox\xul.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 13:19 . 2008-07-22 12:21 6774 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-12-13 17:59 . 2011-12-13 17:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-13 17:59 . 2011-12-13 17:59 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-11 14:06 . 2011-12-11 14:06 94896 ----a-w- c:\windows\system32\drivers\69467523.sys
2011-12-06 13:41 . 2011-12-06 13:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 16:52 . 2004-08-10 16:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-23 13:25 . 2004-08-10 16:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-10 16:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-10 16:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 16:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 02:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 11:15 . 2011-12-30 11:15 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-15_16.42.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-16 13:28 . 2012-01-16 13:28 16384 c:\windows\Temp\Perflib_Perfdata_66c.dat
- 2004-08-10 16:51 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll
+ 2004-08-10 16:51 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
- 2004-08-10 16:51 . 2008-04-14 00:12 176128 c:\windows\system32\winmm.dll
+ 2004-08-10 16:51 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
+ 2007-07-19 14:39 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE
+ 2012-01-03 17:58 . 2012-01-03 17:58 15929344 c:\windows\Installer\3c238.msp
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2010-01-24 1845248]
"Akamai NetSession Interface"="c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\Akamai\netsession_win.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"Razer Imperator Driver"="c:\program files\Razer\Imperator\RazerImperatorTray.exe" [2010-09-07 2787224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-4 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-19 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-17 528384]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2010-10-29 614400]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2011-4-14 1175552]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-31 274432]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NETGEAR\\WG121 Configuration Utility\\wlancfg8.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"1056:TCP"= 1056:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1302000.00A\symds.sys [12/13/2011 1:05 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1302000.00A\symefa.sys [12/13/2011 1:05 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 9:25 PM 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1302000.00A\ccsetx86.sys [12/13/2011 1:05 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1302000.00A\ironx86.sys [12/13/2011 1:05 PM 149624]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [12/13/2011 1:05 PM 138760]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/6/2011 9:15 AM 2214504]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120113.002\IDSXpx86.sys [1/13/2012 7:04 PM 356280]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/16/2010 11:42 AM 100712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [8/6/2009 8:22 AM 24416]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [12/31/2007 11:20 AM 335296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:51 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michelle Mindicino\Application Data\Mozilla\Firefox\Profiles\aqiw85t8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weightwatchers.com/plan/index.aspx
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-16 08:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:46,e0,70,db,ff,98,b8,fd,e6,d0,87,e5,2f,3a,6f,fb,6d,30,13,1b,fd,a2,cf,
88,17,91,b1,d2,34,f4,5a,32,97,b2,5a,63,f2,06,59,9b,d2,a0,61,92,bd,0a,d6,cc,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\License information*]
"datasecu"=hex:e5,a2,0f,9d,a1,6f,53,fa,a5,f0,17,6d,81,4c,6a,4a,75,c9,20,56,e7,
52,3d,7f,0c,5f,7f,0d,57,ee,17,02,7c,af,90,2c,f6,47,c6,bf,f5,5e,1f,0c,bb,29,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3448)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RALINK\Common\RaRegistry.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2012-01-16 08:41:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-16 13:41
ComboFix2.txt 2012-01-15 16:44
.
Pre-Run: 74,634,895,360 bytes free
Post-Run: 74,611,355,648 bytes free
.
- - End Of File - - 459EEC52C7A417FA91AD640D80B1BA7F
__________________
Alera is offline  
Old 01-16-2012, 07:22 AM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Hi,
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Code:
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"=-
"6112:TCP"=-
"5985:TCP"=-
"1056:TCP"=-
"5000:UDP"=-
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.


=====================

Please update it's definitions, and run a new Quick Scan.
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

==================

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic and let me know how the system is behaving.
__________________

amateur is offline  
Old 01-16-2012, 03:40 PM   #11
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



All that is done.

ESET did find two things, I'm not sure if their anything to be concerned about.

The system seems to be running fine, a little slow on start up perhaps, but running fine otherwise.

Also I had a power blip while combofix was running the first time and had to restart it. Would that have caused any problems?
-------------------------------
Combofix Log
----------------------------------
ComboFix 12-01-15.01 - Michelle Mindicino 01/16/2012 15:49:15.8.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1418 [GMT -5:00]
Running from: c:\documents and settings\Michelle Mindicino\My Documents\Aywas\Computer Aid\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Mindicino\Desktop\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-16 20:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-14 13:35 . 2012-01-14 13:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2012-01-14 01:52 . 2012-01-14 02:18 -------- d-----w- c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\NPE
2012-01-12 22:22 . 2012-01-12 22:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-01-09 20:21 . 2012-01-09 20:21 -------- d-----w- C:\ebec34113cd2ac67c5fc25cc
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-30 11:14 . 2011-12-30 11:14 21976 ----a-w- c:\program files\Mozilla Firefox\plc4.dll
2011-12-30 11:14 . 2011-12-30 11:14 20440 ----a-w- c:\program files\Mozilla Firefox\plds4.dll
2011-12-30 11:14 . 2011-12-30 11:14 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-12-30 11:14 . 2011-12-30 11:14 715216 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-12-30 11:14 . 2011-12-30 11:14 269272 ----a-w- c:\program files\Mozilla Firefox\updater.exe
2011-12-30 11:14 . 2011-12-30 11:14 19928 ----a-w- c:\program files\Mozilla Firefox\xpcom.dll
2011-12-30 11:14 . 2011-12-30 11:14 170968 ----a-w- c:\program files\Mozilla Firefox\softokn3.dll
2011-12-30 11:14 . 2011-12-30 11:14 154584 ----a-w- c:\program files\Mozilla Firefox\ssl3.dll
2011-12-30 11:14 . 2011-12-30 11:14 105432 ----a-w- c:\program files\Mozilla Firefox\smime3.dll
2011-12-30 11:14 . 2011-12-30 11:14 16096216 ----a-w- c:\program files\Mozilla Firefox\xul.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 13:19 . 2008-07-22 12:21 6774 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-12-13 17:59 . 2011-12-13 17:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-13 17:59 . 2011-12-13 17:59 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-11 14:06 . 2011-12-11 14:06 94896 ----a-w- c:\windows\system32\drivers\69467523.sys
2011-12-06 13:41 . 2011-12-06 13:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 16:52 . 2004-08-10 16:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-23 13:25 . 2004-08-10 16:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-10 16:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 16:51 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 16:51 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 16:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 16:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 02:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 11:15 . 2011-12-30 11:15 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-15_16.42.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-16 20:42 . 2012-01-16 20:42 16384 c:\windows\Temp\Perflib_Perfdata_618.dat
+ 2012-01-16 20:37 . 2012-01-16 20:37 16384 c:\windows\Temp\Perflib_Perfdata_5f4.dat
- 2004-08-10 16:51 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll
+ 2004-08-10 16:51 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
- 2004-08-10 16:51 . 2008-04-14 00:12 176128 c:\windows\system32\winmm.dll
+ 2004-08-10 16:51 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
+ 2010-06-18 17:45 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
+ 2011-11-03 15:28 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
+ 2007-07-19 14:39 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE
+ 2008-05-07 05:12 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
+ 2012-01-03 17:58 . 2012-01-03 17:58 15929344 c:\windows\Installer\3c238.msp
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-04 12:33 . 2007-10-04 12:33 155648 c:\program files\QuickTime\bak\qttask.exe
2010-11-29 21:38 . 2010-11-29 21:38 421888 c:\program files\QuickTime\QTTask.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2010-01-24 1845248]
"Akamai NetSession Interface"="c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\Akamai\netsession_win.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"Razer Imperator Driver"="c:\program files\Razer\Imperator\RazerImperatorTray.exe" [2010-09-07 2787224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-4 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-19 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-17 528384]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2010-10-29 614400]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2011-4-14 1175552]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-31 274432]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NETGEAR\\WG121 Configuration Utility\\wlancfg8.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1302000.00A\symds.sys [12/13/2011 1:05 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1302000.00A\symefa.sys [12/13/2011 1:05 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 9:25 PM 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1302000.00A\ccsetx86.sys [12/13/2011 1:05 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1302000.00A\ironx86.sys [12/13/2011 1:05 PM 149624]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [12/13/2011 1:05 PM 138760]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/6/2011 9:15 AM 2214504]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120113.002\IDSXpx86.sys [1/13/2012 7:04 PM 356280]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/16/2010 11:42 AM 100712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [8/6/2009 8:22 AM 24416]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [12/31/2007 11:20 AM 335296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:51 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michelle Mindicino\Application Data\Mozilla\Firefox\Profiles\aqiw85t8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weightwatchers.com/plan/index.aspx
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-16 16:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:46,e0,70,db,ff,98,b8,fd,e6,d0,87,e5,2f,3a,6f,fb,6d,30,13,1b,fd,a2,cf,
88,17,91,b1,d2,34,f4,5a,32,97,b2,5a,63,f2,06,59,9b,d2,a0,61,92,bd,0a,d6,cc,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\License information*]
"datasecu"=hex:e5,a2,0f,9d,a1,6f,53,fa,a5,f0,17,6d,81,4c,6a,4a,75,c9,20,56,e7,
52,3d,7f,0c,5f,7f,0d,57,ee,17,02,7c,af,90,2c,f6,47,c6,bf,f5,5e,1f,0c,bb,29,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2316)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-16 16:01:40
ComboFix-quarantined-files.txt 2012-01-16 21:01
ComboFix2.txt 2012-01-16 13:42
ComboFix3.txt 2012-01-15 16:44
.
Pre-Run: 74,853,662,720 bytes free
Post-Run: 74,828,685,312 bytes free
.
- - End Of File - - 9EF40142123A95EA4EDFD328B05FC9F3
------------------------------------
Malware Bytes Log
------------------------------------
Malwarebytes Anti-Malware 1.60.0.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.01.16.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Michelle Mindicino :: LAMDA [administrator]

1/16/2012 4:09:55 PM
mbam-log-2012-01-16 (16-09-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214231
Time elapsed: 18 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
-----------------------------
ESET Log
------------------------------
C:\SDFix.exe Win32/PrcView application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000468.exe a variant of Win32/KillProcess.A application
__________________
Alera is offline  
Old 01-16-2012, 11:06 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Hi,

Looking good. ESET detections are not anything to be concerned about. SDFix.exe is safe but an old tool which has not been updated for years now. No good to keep it around. You can delete it.

C:\SDFix.exe

System Volume Information is where system restore points are stored. Any infection there is inert unless you restore the system to that infected point. However, to avoid that in future, the system restore cache will be cleared when Combofix is uninstalled properly as instructed in the next round, if all is well.

=================

I missed one item, left from an old infection. Sorry about that. We need to run Combofix one more time.
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Code:
AWF::
c:\program files\QuickTime\bak\qttask.exe
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.
__________________

amateur is offline  
Old 01-17-2012, 06:19 AM   #13
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Thanks, here's that log.

ComboFix 12-01-15.01 - Michelle Mindicino 01/17/2012 8:13.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1396 [GMT -5:00]
Running from: c:\documents and settings\Michelle Mindicino\My Documents\Aywas\Computer Aid\ComboFix.exe
Command switches used :: c:\documents and settings\Michelle Mindicino\Desktop\CFScript.txt
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-16 20:46 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-14 13:35 . 2012-01-14 13:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2012-01-14 01:52 . 2012-01-14 02:18 -------- d-----w- c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\NPE
2012-01-12 22:22 . 2012-01-12 22:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2012-01-09 20:21 . 2012-01-09 20:21 -------- d-----w- C:\ebec34113cd2ac67c5fc25cc
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-12-30 11:14 . 2011-12-30 11:14 21976 ----a-w- c:\program files\Mozilla Firefox\plc4.dll
2011-12-30 11:14 . 2011-12-30 11:14 20440 ----a-w- c:\program files\Mozilla Firefox\plds4.dll
2011-12-30 11:14 . 2011-12-30 11:14 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-12-30 11:14 . 2011-12-30 11:14 715216 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-12-30 11:14 . 2011-12-30 11:14 269272 ----a-w- c:\program files\Mozilla Firefox\updater.exe
2011-12-30 11:14 . 2011-12-30 11:14 19928 ----a-w- c:\program files\Mozilla Firefox\xpcom.dll
2011-12-30 11:14 . 2011-12-30 11:14 170968 ----a-w- c:\program files\Mozilla Firefox\softokn3.dll
2011-12-30 11:14 . 2011-12-30 11:14 154584 ----a-w- c:\program files\Mozilla Firefox\ssl3.dll
2011-12-30 11:14 . 2011-12-30 11:14 105432 ----a-w- c:\program files\Mozilla Firefox\smime3.dll
2011-12-30 11:14 . 2011-12-30 11:14 16096216 ----a-w- c:\program files\Mozilla Firefox\xul.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 13:19 . 2008-07-22 12:21 6774 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-12-13 17:59 . 2011-12-13 17:59 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-13 17:59 . 2011-12-13 17:59 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-11 14:06 . 2011-12-11 14:06 94896 ----a-w- c:\windows\system32\drivers\69467523.sys
2011-12-06 13:41 . 2011-12-06 13:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-05 16:52 . 2004-08-10 16:51 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-25 21:57 . 2004-08-10 16:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-10 16:51 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-10 16:51 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-10 16:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-10 16:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-10 16:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-10 16:51 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-10 16:51 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-10 16:51 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-10 16:51 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-10 16:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-10 16:51 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 02:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-30 11:15 . 2011-12-30 11:15 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-15_16.42.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-17 13:29 . 2012-01-17 13:29 16384 c:\windows\Temp\Perflib_Perfdata_68c.dat
- 2004-08-10 16:51 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll
+ 2004-08-10 16:51 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
+ 2004-08-10 16:51 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2004-08-10 16:51 . 2008-04-14 00:12 176128 c:\windows\system32\winmm.dll
+ 2010-06-18 17:45 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
+ 2011-11-03 15:28 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
+ 2007-07-19 14:39 . 2005-09-08 09:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE
+ 2008-05-07 05:12 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
+ 2012-01-03 17:58 . 2012-01-03 17:58 15929344 c:\windows\Installer\3c238.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2010-01-24 1845248]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"Razer Imperator Driver"="c:\program files\Razer\Imperator\RazerImperatorTray.exe" [2010-09-07 2787224]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-04 155648]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-12-4 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-19 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-17 528384]
Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2010-10-29 614400]
Run Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2011-4-14 1175552]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-12-31 274432]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideClock"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NETGEAR\\WG121 Configuration Utility\\wlancfg8.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\Minions of Mirth\\bin\\MinionsOfMirth.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\on the rain-slick precipice of darkness - episode one\\RainSlickEp1.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\swkotor\\swkotor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Dead Space.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dead space\\Support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\audiosurf\\engine\\QuestViewer.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1302000.00A\symds.sys [12/13/2011 1:05 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1302000.00A\symefa.sys [12/13/2011 1:05 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\BASHDefs\20111223.001\BHDrvx86.sys [11/30/2011 9:25 PM 820344]
R1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1302000.00A\ccsetx86.sys [12/13/2011 1:05 PM 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1302000.00A\ironx86.sys [12/13/2011 1:05 PM 149624]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccsvchst.exe [12/13/2011 1:05 PM 138760]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/6/2011 9:15 AM 2214504]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/16/2012 4:25 PM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.1.3\Definitions\IPSDefs\20120114.005\IDSXpx86.sys [1/17/2012 8:02 AM 356280]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [11/16/2010 11:42 AM 100712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 PROCEXP151;PROCEXP151;\??\c:\windows\system32\Drivers\PROCEXP151.SYS --> c:\windows\system32\Drivers\PROCEXP151.SYS [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [8/6/2009 8:22 AM 24416]
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\drivers\wg121nd5.sys [12/31/2007 11:20 AM 335296]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/10/2004 11:51 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michelle Mindicino\Application Data\Mozilla\Firefox\Profiles\aqiw85t8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.weightwatchers.com/plan/index.aspx
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Akamai NetSession Interface - c:\documents and settings\Michelle Mindicino\Local Settings\Application Data\Akamai\netsession_win.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2012-01-17 08:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:46,e0,70,db,ff,98,b8,fd,e6,d0,87,e5,2f,3a,6f,fb,6d,30,13,1b,fd,a2,cf,
88,17,91,b1,d2,34,f4,5a,32,97,b2,5a,63,f2,06,59,9b,d2,a0,61,92,bd,0a,d6,cc,\
"??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
.
[HKEY_USERS\S-1-5-21-4271881909-3419027923-3872122527-1006\Software\SecuROM\License information*]
"datasecu"=hex:e5,a2,0f,9d,a1,6f,53,fa,a5,f0,17,6d,81,4c,6a,4a,75,c9,20,56,e7,
52,3d,7f,0c,5f,7f,0d,57,ee,17,02,7c,af,90,2c,f6,47,c6,bf,f5,5e,1f,0c,bb,29,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RALINK\Common\RaRegistry.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2012-01-17 08:41:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 13:41
ComboFix2.txt 2012-01-16 21:01
ComboFix3.txt 2012-01-16 13:42
ComboFix4.txt 2012-01-15 16:44
.
Pre-Run: 74,802,393,088 bytes free
Post-Run: 74,777,542,656 bytes free
.
- - End Of File - - 72AE27CF9CA70A62F896B9A243B72612
__________________
Alera is offline  
Old 01-17-2012, 07:44 AM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



Hi Alera,

If you have no further malware issues, you're all set to go. The logs are clean.

Please disable all protection applications as before .
  • Click Start thenRun
  • Now type ComboFix /Uninstall in the run box and click OK. Notice the space between the Combofix and the /

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

You may re-enable your security applications now.

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article:

Strong passwords: How to create and use them


You may also consider a password keeper, to keep all your passwords safe.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

It's vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!
__________________

amateur is offline  
Old 01-17-2012, 10:27 AM   #15
Registered Member
 
Join Date: Dec 2010
Posts: 17
OS: Windows XP



Fantastic, thanks very much for the help ^_^
__________________
Alera is offline  
Old 01-17-2012, 10:34 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,742
OS: XP Win7 Ubuntu 10.10



You're welcome. Glad to have been able to help. Stay safe!

__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] computer restarts when watching videos
hi everyone. my computer restarts when watching videos either on the internet or off my hard drive or even off a DVD. i get a glimpse of the BSOD and then it restarts. sometimes its after a couple of mins and sometimes it lasts much longer, but rarely over 30-45mins. i have searched around...
tunno1 Windows XP Support 56 11-06-2011 12:56 AM
Random/rare STOP0x1E
Been fighting against this one for a while now and couldn't figure out the cause, especially since the crashes come and go and are very rare... anyway, here is the data: · OS - Windows 7 x64 SP1 OEM (MSDNAA version) · Age of system: one and a half years · Age of OS installation: a month ·...
Soukyuu BSOD, App Crashes And Hangs 3 09-26-2011 11:16 AM
Memory Leak in svchost.exe file
Computer information: Running "Windows XP PROFESSIONAL 2002 SP 3" X86 DELL DIMENSION DV051 WITH ABOUT 2 GIGS OF RAM 145 GIG HD WITH ABOUT 96 GIGS FREE EXTERNAL HD WITH 500 GIGS..100 GIGS FREE I HAVE ONE FLASH DRIVE USB CONNECTED 2 GIGS
madnkrazy Windows XP Support 7 07-05-2011 04:46 PM
Lag in Dragon Age: Origins
I have Dragon Age: Origins Ultimate Edition for the PC. My PC surpasses the minimum requirements for the game and it runs really well for about an hour until it begins to get really sluggish. Around this point the loading times will increase and the frame rate will drop. What would cause that? ...
AndyJP PC Gaming Support 9 01-30-2011 06:47 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 05:24 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts