slow computer / zrexymv.dll is not a valid Windows Image

nimblefingers · 04-25-2009, 09:50 AM

Hello,

I have two major symptoms:

Computer is responding very slowly
multiple invalid windows image messages

My computer is responding very slowly.

I'm receiving multiple error dialog boxes when I start up MS Outlook 2003. Each error has a different title on the error box, but the same message.

I have endevoured to provide detailed information on configuration and steps I've taken on my own. Also I've attached a compress file of some results.

Error
When I start up Microsoft Outlook 2003 (11.8217.8221) SP3
Part of Microsoft Office Professional Edition 2003,

Error Messages
I receive warning box with title of:
“McAgent_Main_hidden_windows: mcagent.exe – Bad Image”

Message in the box:“The application or DLL c:\windows\system32\zrexymv.dll is not a valid Windows image. Please check this against your installation diskette. “

When I click okay, I receive another warning box titled:
Netropa Hot Key: MMKeybd.exe – Bad Image

Which contains the exact same warning message:
“The application or DLL c:\windows\system32\zrexymv.dll is not a valid Windows image. Please check this against your installation diskette. “

Clicking Okay results in the follow warning dialogs, each with a different title but the same message. The titles of the rest of warning dialogs are:

Gmer.exe – Bad Image
Netropa OnScreen Display: OSD.exe – Bad Image
Google ToolbarNotifier.exe – Bad Image
DellTouch Programmable Keys: Traymon.exe – Bad Image
{A7E495BF-9589-4a6e-8479-DDA2D8D3C057}: Google ToolbarNotifier.exe – Bad Image

Other characteristics
Machine is much slower to respond when starting up programs like IE6.
Scrolling through the c:\windows\system32 file is extreme slow. The scroll bar on the right moves about 10%, then freezes for 2-10 seconds or so.

Operating System
Version of OS: Windows XP Professional, SP3
No recent crashes
New software –
New hardware - NetGear wireless router added a week ago. I'm running encyrpted link WPA2.
Scan with anti-virus program: Yes, MacAfee, it found 10 thinks, I clicked fix.
Scan with anti-trojan program: No
Scan with root kit detection: Yes, but Gmer is very slow -attached results from 4 hour run.

anit-spyware scans – Ad-aware found only some tracking cookies.

Steps I have taken:
I’ve tried to rename the file zrexymv.dll, but it is in use, even when I do a msconfig controlled limited boot.

I ran configure with my Windows XP Professional CD.
After I did this I read and realized that this CD is an older version of Windows XP.
No- I haven’t slipstreamed SP3 – saw instructions for it after I’d run the check.

I ran the repair with Microsoft Office 2003 CD.
It passed, but the error boxes still occur when starting Outlook 2003.

DDS Results

DDS (Ver_09-03-16.01) - NTFSx86
Run by Chuck Rolston at 10:32:56.15 on Sat 04/25/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.618 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\HGRA\HGRA\WENGINE\wmonitor.exe
C:\Program Files\HGRA\HGRA\FLUtilsSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HGRA\HGRA\ServiceMgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HGRA\HGRA\e360SysTray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chuck Rolston\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
mWinlogon: userinit=userinit.exe
BHO: : {4bc55d2a-1969-4b85-a11c-16b1e034f5d9} - c:\windows\system32\bwyxmmx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TBSB00982 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\antbar\ant.com toolbar\tbu08610\tbcore3.dll
TB: Ant.com Toolbar: {6cd56c02-cb4d-41b5-a0fe-b479061ccb41} - c:\program files\antbar\ant.com toolbar\tbu08610\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [e360SysTray] c:\program files\hgra\hgra\e360SysTray.exe
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
StartupFolder: c:\docume~1\chuckr~1\startm~1\programs\startup\pictur~1.lnk - f:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: NoDispBackgroundPage = 00
uPolicies-system: NoDispScrSavPage = 00
mPolicies-explorer: PreXPSP2ShellProtocolBehavior = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: cessna.org\www
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126327699763
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126327690340
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38649.845775463
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: ckpNotify - ckpNotify.dll
Notify: clgtdbhd - bwyxmmx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: karna.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli np32dty.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chuckr~1\applic~1\mozilla\firefox\profiles\jp5y81zm.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 shgffjau;shgffjau;c:\windows\system32\drivers\shgffjau.sys [2001-8-18 23424]
R1 cdudf;cdudf;c:\windows\system32\drivers\Cdudf.sys [2001-6-27 230048]
R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-5-20 2234320]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-4-18 201320]
R2 BlackICE;BlackICE;c:\program files\network ice\blackice\blackd.exe [2005-10-30 847872]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-5-20 36400]
R2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\hgra\hgra\wengine\wmonitor.exe [2006-1-13 69692]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-18 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-18 144704]
R2 pqprowge;Volume Manager Support;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-5-20 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-5-20 671408]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-10-30 9433]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-18 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-18 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-18 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-18 40488]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-6-23 149632]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-6-23 554304]
R4 black;black;c:\windows\system32\drivers\blackdrv.sys [2005-10-30 227285]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-10-30 115680]
S2 r_server;Remote Administrator Service;"c:\windows\system32\r_server.exe" /service --> c:\windows\system32\r_server.exe [?]
S2 XLSNZYFY;XLSNZYFY;\??\c:\windows\system32\xlsnzyfy.iqi --> c:\windows\system32\xlsnzyfy.iqi [?]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-2 17536]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-14 29744]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [2005-12-20 16777]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [2005-12-20 12905]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-18 33832]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2005-10-30 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2005-10-30 24344]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2003-6-13 19232]

=============== Created Last 30 ================

2009-04-24 06:03 3,840 a------- c:\windows\system32\drivers\BANTExt.sys
2009-04-24 06:02 <DIR> --d----- c:\program files\Belarc
2009-04-19 19:39 49,904 a----r-- c:\windows\system32\drivers\BVRPMPR5.SYS
2009-04-19 19:38 <DIR> --d----- C:\Netgear
2009-04-18 13:59 <DIR> --d-h--- c:\windows\PIF
2009-04-18 10:53 9,977 a------- c:\windows\system32\Config.MPF
2009-04-18 10:53 143,360 a------- c:\windows\system32\dunzip32.dll
2009-04-18 10:49 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-18 10:48 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-18 10:48 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-18 10:48 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-18 10:48 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-18 10:48 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-18 10:48 <DIR> --d----- c:\program files\McAfee.com
2009-04-18 10:48 <DIR> --d----- c:\program files\common files\McAfee
2009-04-18 10:48 <DIR> --d----- c:\program files\McAfee
2009-04-18 10:27 0 a------- C:\sr_tde.all
2009-04-18 08:59 <DIR> --dsh--- c:\windows\system32\lowsec
2009-04-15 04:50 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 04:50 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 04:50 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 04:50 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 04:50 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 04:50 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 04:50 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 04:50 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 04:50 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 04:49 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 04:48 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 04:48 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:52 <DIR> --d----- c:\program files\EditPlus 3
2009-04-14 19:52 <DIR> --d----- c:\docume~1\chuckr~1\applic~1\EditPlus 3
2009-04-11 22:33 <DIR> --d----- c:\program files\Antbar
2009-04-05 22:14 5,248 a------- c:\windows\system32\affhdd.sys
2009-04-05 22:14 <DIR> --d----- c:\program files\HDD Capacity Restore
2009-04-05 13:23 <DIR> --d----- c:\program files\Western Digital

==================== Find3M ====================

2009-04-18 11:27 171,018 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 03:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 03:10 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32(2).dll
2005-11-14 22:10 19,664 a------- c:\docume~1\chuckr~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:34:17.47 ===============

I had posted a request to

zrexymv.dll is not a valid Windows Image

but I received little assistance there. I posted message there to 'close' it and will subscribe to this thread.

I could try several other things, but I would appreciate your advice on the next course of action. Other forums on this site have been very useful.

Thank you for your attention.
Nimblefingers.

**Angelfire777** · 04-27-2009, 02:40 PM

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Note: Please rename combofix.exe to cfix.exe

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

nimblefingers · 04-30-2009, 07:10 AM

Dear Angelfire777,

Thank you for responding to my posting.

Here is the combofix text log. I don't know how to disable the McAfee from Comcast, so I had to run combofix with it running.

I do see in the find3m report the name of the dll that is reported in the error messages: Zrexymv.dll.

The system seems a little better. I didn't see the messages about an invalid Windows image when I ran Outlook, which would do it before.

But now when I click on a link in an outlook message, the computer opens the browser, but does not put the URL in the address window. Instead a dialog opens "Locate Link Browser". I clicked on internet explorer. IE opens, but not at the hyperlink address.

Here is the log.

Looking forward to your reply.
===================

ComboFix 09-04-29.07 - Chuck Rolston 04/30/2009 7:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.769 [GMT -5:00]
Running from: c:\documents_mine\downloads\combofix\CFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\m3.dll
c:\windows\Tasks\At1.job
c:\windows\system32\bwyxmmx.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PQPROWGE
-------\Legacy_R_SERVER
-------\Service_pqprowge
-------\Service_r_server

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-26 12:06 . 2009-04-26 12:06 -------- d-----w c:\program files\Smart Projects
2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc
2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS
2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear
2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF
2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee
2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3
2009-04-12 03:50 . 2009-04-29 12:35 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com
2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar
2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys
2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore
2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 12:18 . 2001-08-18 12:00 102912 ----a-w c:\windows\system32\zrexymv.dll
2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa
2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin
2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech
2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2
2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll
2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BC55D2A-1969-4B85-A11C-16B1E034F5D9}]
2001-08-18 12:00 102912 ----a-w c:\windows\system32\bwyxmmx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680]
R2 XLSNZYFY;XLSNZYFY; [x]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744]
R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777]
R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905]
R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676]
R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344]
R3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 19232]
S0 shgffjau;shgffjau;c:\windows\system32\drivers\shgffjau.sys [2001-08-18 23424]
S1 cdudf;cdudf; [x]
S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400]
S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2005-09-08 109072]
S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2005-09-08 671408]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285]

.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30]

2009-04-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]

2009-04-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Trusted Zone: cessna.org\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 07:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1588)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3724)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\HGRA\HGRA\FLUtilsSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\HGRA\HGRA\ServiceMgr.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Netropa\OSD.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-04-30 7:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 12:33

Pre-Run: 8,234,147,840 bytes free
Post-Run: 11,088,728,064 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

258 --- E O F --- 2009-04-30 12:01

**Angelfire777** · 05-01-2009, 11:14 AM

Hi,

*To disable Mcafee:

Please navigate to the system tray and double-click the taskbar icon to open Security Center.

* Click Advanced Menu (bottom mid-left).
* Click Configure (left).
* Click Computer & Files (top left).
* VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.

Do the same via Internet & Network for Firewall Plus.

*The problem you're having with outlook is a bug .. do these to fix it:

Double-click My Computer.
On the Tools menu, click Folder Options.
Click the File Types tab.
Under Extension, locate the "N/A" entry, and then locate the "URL:HyperText Transfer Protocol" entry under File Types.
Click Advanced.
Under Actions, edit Open and remove the tick in DDE, press OK. select Open
Click Set Default, and then click OK two times

do that for URL: HyperText with security
also and maybe for HTML HTM if still doesn't work. and you'll be fine

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/370301-slow-computer-zrexymv-dll-not-valid-windows-image.html
Driver::
XLSNZYFY
shgffjau
cdudf
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BC55D2A-1969-4B85-A11C-16B1E034F5D9}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
Collect::
c:\windows\system32\zrexymv.dll
c:\windows\system32\bwyxmmx.dll
c:\windows\system32\drivers\shgffjau.sys
DDS::
Trusted Zone: cessna.org\www
Trusted Zone: internet
Trusted Zone: mcafee.com
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File

Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13".
Click the "Download" button to the right.
For Platform, select "Windows"
For language, select your language
Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
Click Continue
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Examples of older versions in Add or Remove Programs:
- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 11
- J2SE Runtime Environment 5.0 Update 4
- J2SE Runtime Environment 5.0 Update 6
- Java(TM) 6 Update 11
- Java(TM) 6 Update 2
- Java(TM) 6 Update 3
- Java(TM) 6 Update 5
- Java(TM) 6 Update 7
- Java(TM) SE Runtime Environment 6 Update 1
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
  Trace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

kaspersky scan log
combofix log

nimblefingers · 05-02-2009, 08:12 PM

Hello AngelFire777,

Thank you for providing the instructions.

I have disabled McAfee per your instructions.
I ran the ComboFix using the attached script.
I have uploaded the file
C:\QooBox\Quarantine\[4]-Submit_2009-5-2_10.1.29.zip
to the URL at BleepingComputer.

I've included the Combofix log below.

I corrected the file type association for Outlook.

I removed all the Java applications per instructions and installed the runtime directed. I then deleted cache per instructions.

I ran the on line scan.
I've included the log file:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 02, 2009 17:38:06
Records in database: 2120851
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 470403
Threat name: 8
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 09:08:35

File name / Threat name / Threats count
C:\Documents and Settings\Chuck Rolston\My Documents\My Pictures\Chuck Rolston\Desktop\pda\Ad-awareSE_setup.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a 1
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 1
C:\Program Files\Radmin Viewer 3.0\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.30 1
C:\Qoobox\Quarantine\[4]-Submit_2009-5-2_10.1.29.zip Infected: Trojan.Win32.BHO.ext 1
C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1
F:\Documents and Settings\Chuck Rolston.zip Infected: not-a-virus:NetTool.Win32.PsKill.a 1
F:\Program Files\GIB\01setup.EXE Infected: not-a-virus:Porn-Dialer.Win32.Generic 1
F:\_RESTORE\ARCHIVE\FS2830.CAB Infected: not-a-virus:AdWare.Win32.SaveNow.aa 1
F:\_RESTORE\ARCHIVE\FS2830.CAB Infected: not-a-virus:AdWare.Win32.SaveNow.au 1

The selected area was scanned.

Here is the combofig_log.txt

ComboFix 09-04-29.07 - Chuck Rolston 05/02/2009 10:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.850 [GMT -5:00]
Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe
Command switches used :: c:\documents and settings\Chuck Rolston\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

file zipped: c:\windows\system32\bwyxmmx.dll
file zipped: c:\windows\system32\drivers\shgffjau.sys
file zipped: c:\windows\system32\zrexymv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bwyxmmx.dll
c:\windows\system32\drivers\shgffjau.sys
c:\windows\system32\zrexymv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDUDF
-------\Legacy_SHGFFJAU
-------\Legacy_XLSNZYFY
-------\Service_cdudf
-------\Service_shgffjau
-------\Service_XLSNZYFY

((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-5-2 )))))))))))))))))))))))))))))))
.

2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager
2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-26 12:06 . 2009-04-26 12:06 -------- d-----w c:\program files\Smart Projects
2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc
2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS
2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear
2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF
2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee
2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3
2009-04-12 03:50 . 2009-05-01 21:09 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com
2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar
2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys
2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore
2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 15:01 . 2001-08-18 12:00 23424 ----a-w c:\windows\system32\drivers\xflxaufr.sys
2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java
2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa
2009-04-26 14:47 . 2009-04-30 12:42 171018 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin
2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech
2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2
2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll
2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 15:09 . 2009-05-02 15:09 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat
+ 2005-09-10 04:42 . 2009-05-02 10:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-10 04:42 . 2009-05-02 10:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744]
R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777]
R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905]
R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676]
R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344]
S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400]
S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SHGFFJAU
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30]

2009-04-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]

2009-04-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 10:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1576)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3748)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\HGRA\HGRA\FLUtilsSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\HGRA\HGRA\ServiceMgr.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Netropa\OSD.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-05-02 10:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 15:18
ComboFix2.txt 2009-04-30 12:33

Pre-Run: 7,923,404,800 bytes free
Post-Run: 10,457,563,136 bytes free

262 --- E O F --- 2009-04-30 12:01

I reactivated McAfee.

nimblefingers.

**Angelfire777** · 05-03-2009, 12:28 AM

Hi,

Most of what kaspersky found are all false positives. Do you know what these two files are?

F:\Documents and Settings\Chuck Rolston.zip
F:\Program Files\GIB\01setup.EXE

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
c:\windows\system32\drivers\xflxaufr.sys
Driver::
SHGFFJAU

Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

how is it running?

nimblefingers · 05-03-2009, 03:52 PM

Hello AngelFire777,

The file
F:\Documents and Settings\Chuck Rolston.zip
is a zip archive of my documents folder from a backup archive.

The file
F:\Program Files\GIB\01setup.EXE
I do not recognize.
The date on the 01setup.exe says 1/19/2002. Again I do not recognize.

I myself would not be concerned about deleting it. What action would you recommend I take?

The computer is now working very well. The warning message are now gone. Outlook is working well, no warning messages. Response times seem normal.

What type of malware was found? What steps should I take to prevent reoccurance?

I ran the combofix with the script provided in the last post. The results are included below.

nimblefingers

ComboFix 09-04-29.07 - Chuck Rolston 05/03/2009 8:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.553 [GMT -5:00]
Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe
Command switches used :: c:\documents and settings\Chuck Rolston\Desktop\cfscript2.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\xflxaufr.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\xflxaufr.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SHGFFJAU

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-5-3 )))))))))))))))))))))))))))))))
.

2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager
2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-26 12:06 . 2009-04-26 12:06 -------- d-----w c:\program files\Smart Projects
2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc
2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS
2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear
2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF
2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee
2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3
2009-04-12 03:50 . 2009-05-03 12:22 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com
2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar
2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys
2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore
2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java
2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa
2009-04-26 14:47 . 2009-04-30 12:42 171018 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin
2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech
2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2
2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll
2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 13:18 . 2009-05-03 13:18 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2005-09-10 04:42 . 2009-05-03 13:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-10 04:42 . 2009-05-03 13:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744]
R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777]
R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905]
R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676]
R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344]
R3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 19232]
R4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285]
S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400]
S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2005-09-08 109072]
S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2005-09-08 671408]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304]

.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30]

2009-04-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]

2009-04-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 08:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1576)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1752)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\HGRA\HGRA\FLUtilsSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\HGRA\HGRA\ServiceMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Netropa\OSD.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-05-03 8:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 13:27
ComboFix2.txt 2009-05-02 15:18
ComboFix3.txt 2009-04-30 12:33

Pre-Run: 8,631,922,688 bytes free
Post-Run: 9,686,716,416 bytes free

257 --- E O F --- 2009-04-30 12:01

nimblefingers · 05-04-2009, 05:06 AM

Hello Angelfire777,

I had a reoccurance of spyware. I received notices from McAfee of win21.banker.fs and a trojan .spy agend.... (didn't write the whole name down)

I performed a system restore to 5/3/2009, which was made by combofix during the last run.

This seemed to get most of the malware out.

I ran full McAfee scan - it didn't find anything.

I ran combofix without any scripts.

here is the log file.

ComboFix 09-04-29.07 - Chuck Rolston 05/04/2009 5:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.869 [GMT -5:00]
Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chuck Rolston\Application Data\~tmp.html
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll.cla

.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-5-4 )))))))))))))))))))))))))))))))
.

2009-05-04 00:59 . 2009-05-04 01:01 128 --sha-w c:\windows\system32\382453472.dat
2009-05-03 22:55 . 2009-05-04 01:16 -------- d-sh--w C:\RECYCLER(2)
2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager
2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc
2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS
2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear
2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF
2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee
2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3
2009-04-12 03:50 . 2009-05-04 01:22 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com
2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar
2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys
2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore
2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 15:01 . 2001-08-18 12:00 23424 ----a-w c:\windows\system32\drivers\xflxaufr.sys
2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java
2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa
2009-04-26 14:47 . 2009-04-30 12:42 171018 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat
2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin
2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech
2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2
2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll
2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 10:05 . 2009-05-04 10:05 16384 c:\windows\Temp\Perflib_Perfdata_58c.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-10 04:42 . 2009-05-04 06:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-09-10 04:42 . 2009-05-04 06:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-10-23 06:40 . 2009-05-04 01:16 230620 c:\windows\system32\Restore\rstrlog.dat
- 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744]
R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777]
R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905]
R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676]
R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344]
R3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 19232]
S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320]
S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400]
S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692]
S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2005-09-08 109072]
S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2005-09-08 671408]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304]
S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285]

.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30]

2009-04-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]

2009-04-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 05:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1576)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-05-04 5:19
ComboFix-quarantined-files.txt 2009-05-04 10:19
ComboFix2.txt 2009-05-03 13:27
ComboFix3.txt 2009-05-02 15:18
ComboFix4.txt 2009-04-30 12:33

Pre-Run: 10,410,373,120 bytes free
Post-Run: 10,408,218,624 bytes free

225 --- E O F --- 2009-04-30 12:01

**Angelfire777** · 05-04-2009, 11:42 PM

Hi,

Please avoid doing anything on your own .. I understand that you simply wish to help, I appreciate that but doing a system restore for example may bring us a step back here..

Also, please understand that at this time, your McAfee is bound to find some malware and probably leftover and other harmless files too. If that happens, it helps a lot if you jot down the path and name of the file and include it in your reply .. Thanks!

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/370301-slow-computer-zrexymv-dll-not-valid-windows-image.html
File::
c:\windows\system32\382453472.dat
c:\windows\system32\drivers\xflxaufr.sys
c:\windows\system32\secur32(2).dll
Folder::
C:\RECYCLER(2)
Suspect::[55]
F:\Program Files\GIB\01setup.EXE

Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

nimblefingers · 05-06-2009, 04:16 AM

Dear AngelFire777,

Thank you for your reply. I'll wait for you instructions. my apologies.

I ran Combofix with the script provided. Combofix did perform an upload to the internet, so file should be where it put it.

Here is the combofix transcript.

nimblefingers

ComboFix 09-05-05.03 - Chuck Rolston 05/06/2009 4:50.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.692 [GMT -5:00]
Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe
Command switches used :: c:\documents and settings\Chuck Rolston\Desktop\cfscript090506.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

FILE ::
c:\windows\system32\382453472.dat
c:\windows\system32\drivers\xflxaufr.sys
c:\windows\system32\secur32(2).dll

file zipped: f:\program files\GIB\Suspect_01setup.EXE.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-1801674531-1677128483-1060284298-1003(2)\INFO2
c:\windows\system32\382453472.dat
c:\windows\system32\drivers\xflxaufr.sys
c:\windows\system32\secur32(2).dll

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 09:42 . 2009-03-11 03:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-06 09:42 . 2009-03-11 03:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-06 09:42 . 2009-05-06 09:42 -------- d-----w c:\windows\system32\KB905474
2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager
2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys
2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc
2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS
2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear
2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF
2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll
2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com
2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee
2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee
2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3
2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3
2009-04-12 03:50 . 2009-05-05 12:33 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com
2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java
2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa
2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin
2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech
2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2
2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore
2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital
2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 10:47 . 2009-05-04 10:47 16384 c:\windows\Temp\Perflib_Perfdata_234.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-09-10 04:42 . 2009-05-06 09:46 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-09-10 04:42 . 2009-05-06 09:46 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-10-23 06:40 . 2009-05-04 01:16 230620 c:\windows\system32\Restore\rstrlog.dat
- 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe
+ 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe
- 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=

R1 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/20/2007 8:19 PM 2234320]
R2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [10/30/2005 12:07 PM 847872]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [5/20/2007 8:18 PM 36400]
R2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [1/13/2006 3:41 PM 69692]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [5/20/2007 8:18 PM 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/20/2007 8:18 PM 671408]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [10/30/2005 12:08 PM 9433]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [6/23/2003 12:15 PM 149632]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [6/23/2003 12:15 PM 554304]
R4 black;black;c:\windows\system32\drivers\blackdrv.sys [10/30/2005 12:07 PM 227285]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [10/30/2005 12:08 PM 115680]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/2/2004 5:33 PM 17536]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/14/2007 5:20 AM 29744]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [12/20/2005 7:26 PM 16777]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [12/20/2005 8:20 PM 12905]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [10/30/2005 12:07 PM 36676]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [10/30/2005 12:07 PM 24344]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [6/13/2003 5:45 PM 19232]
.
Contents of the 'Scheduled Tasks' folder

2009-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30]

2009-04-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]

2009-04-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32]

2009-05-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 04:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\CHUCKR~1\LOCALS~1\Temp\Perflib_Perfdata_1320.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1572)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-05-06 4:58
ComboFix-quarantined-files.txt 2009-05-06 09:57
ComboFix2.txt 2009-05-04 10:19
ComboFix3.txt 2009-05-03 13:27
ComboFix4.txt 2009-05-02 15:18
ComboFix5.txt 2009-05-06 09:49

Pre-Run: 8,234,520,576 bytes free
Post-Run: 9,428,971,520 bytes free

232 --- E O F --- 2009-05-06 09:42
Upload was successful

**Angelfire777** · 05-07-2009, 03:52 PM

delete this whole folder: F:\Program Files\GIB

how is it running?

nimblefingers · 05-10-2009, 05:48 PM

Dear Angelfire777,

I deleted the entire folder F:\program files\gib as directed.

The computer is working well.

Thank you for your assistance. This saved me from a re-format and reload, which would have taken several days and would have been quite disruptive.

thanks again,

**Angelfire777** · 05-11-2009, 03:37 PM

Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

04-27-2009, 02:40 PM	#2 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,581 OS: Vista	Re: slow computer / zrexymv.dll is not a valid Windows Image Please visit this webpage for download links, and instructions for running combofix: http://www.bleepingcomputer.com/comb...o-use-combofix Note: Please rename combofix.exe to cfix.exe * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.

04-30-2009, 07:10 AM	#3 (permalink)
nimblefingers Registered User Join Date: Apr 2009 Posts: 13 OS: XP	Re: slow computer / zrexymv.dll is not a valid Windows Image Dear Angelfire777, Thank you for responding to my posting. Here is the combofix text log. I don't know how to disable the McAfee from Comcast, so I had to run combofix with it running. I do see in the find3m report the name of the dll that is reported in the error messages: Zrexymv.dll. The system seems a little better. I didn't see the messages about an invalid Windows image when I ran Outlook, which would do it before. But now when I click on a link in an outlook message, the computer opens the browser, but does not put the URL in the address window. Instead a dialog opens "Locate Link Browser". I clicked on internet explorer. IE opens, but not at the hyperlink address. Here is the log. Looking forward to your reply. =================== ComboFix 09-04-29.07 - Chuck Rolston 04/30/2009 7:13.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.769 [GMT -5:00] Running from: c:\documents_mine\downloads\combofix\CFix.exe AV: McAfee VirusScan On-access scanning enabled (Updated) FW: McAfee Personal Firewall enabled * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\lowsec c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\m3.dll c:\windows\Tasks\At1.job c:\windows\system32\bwyxmmx.dll . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PQPROWGE -------\Legacy_R_SERVER -------\Service_pqprowge -------\Service_r_server ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 ))))))))))))))))))))))))))))))) . 2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp 2009-04-26 12:06 . 2009-04-26 12:06 -------- d-----w c:\program files\Smart Projects 2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys 2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc 2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS 2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear 2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF 2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll 2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys 2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys 2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys 2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee 2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee 2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3 2009-04-12 03:50 . 2009-04-29 12:35 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com 2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar 2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys 2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore 2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-30 12:18 . 2001-08-18 12:00 102912 ----a-w c:\windows\system32\zrexymv.dll 2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa 2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin 2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech 2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2 2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll 2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BC55D2A-1969-4B85-A11C-16B1E034F5D9}] 2001-08-18 12:00 102912 ----a-w c:\windows\system32\bwyxmmx.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840] "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "PreXPSP2ShellProtocolBehavior"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680] R2 XLSNZYFY;XLSNZYFY; [x] R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536] R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744] R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777] R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905] R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676] R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344] R3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 19232] S0 shgffjau;shgffjau;c:\windows\system32\drivers\shgffjau.sys [2001-08-18 23424] S1 cdudf;cdudf; [x] S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320] S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872] S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400] S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692] S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2005-09-08 109072] S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2005-09-08 671408] S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433] S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632] S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304] S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285] . Contents of the 'Scheduled Tasks' folder 2009-04-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30] 2009-04-18 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] 2009-04-18 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = localhost uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 Trusted Zone: cessna.org\www Trusted Zone: internet Trusted Zone: mcafee.com Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-30 07:26 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1588) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(3724) c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\program files\HGRA\HGRA\FLUtilsSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\HGRA\HGRA\ServiceMgr.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE c:\program files\Netropa\OSD.exe c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe . ************************************************************************ . Completion time: 2009-04-30 7:33 - machine was rebooted ComboFix-quarantined-files.txt 2009-04-30 12:33 Pre-Run: 8,234,147,840 bytes free Post-Run: 11,088,728,064 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 258 --- E O F --- 2009-04-30 12:01

05-01-2009, 11:14 AM	#4 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,581 OS: Vista	Re: slow computer / zrexymv.dll is not a valid Windows Image Hi, To disable Mcafee: Please navigate to the system tray and double-click the taskbar icon to open Security Center. Click Advanced Menu (bottom mid-left). * Click Configure (left). * Click Computer & Files (top left). * VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on. Do the same via Internet & Network for Firewall Plus. The problem you're having with outlook is a bug .. do these to fix it: Double-click My Computer. On the Tools menu, click Folder Options. Click the File Types tab. Under Extension, locate the "N/A" entry, and then locate the "URL:HyperText Transfer Protocol" entry under File Types. Click Advanced. Under Actions, edit Open and remove the tick in DDE, press OK. select Open Click Set Default, and then click OK two times do that for URL: HyperText with security also and maybe for HTML HTM if still doesn't work. and you'll be fine Open notepad. Copy and paste the text inside the code box below to notepad Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/370301-slow-computer-zrexymv-dll-not-valid-windows-image.html Driver:: XLSNZYFY shgffjau cdudf Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4BC55D2A-1969-4B85-A11C-16B1E034F5D9}] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000000 Collect:: c:\windows\system32\zrexymv.dll c:\windows\system32\bwyxmmx.dll c:\windows\system32\drivers\shgffjau.sys DDS:: Trusted Zone: cessna.org\www Trusted Zone: internet Trusted Zone: mcafee.com EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uURLSearchHooks: H - No File Save and Name it as "CFScript" Drag and drop CFScript.txt to your copy of combofix. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. If you do not get a message box, please do the following: There should be a file named [4]-Submit_date@time.zip with today's date, located here: C:\QooBox\Quarantine\[4]-Submit_date@time.zip Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4 Please let me know if you successfully submitted the file. Thanks. Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities. Updating Java:* Download the latest version of Java Runtime Environment (JRE) 6 Update 13. Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13". Click the "Download" button to the right. For Platform, select "Windows" For language, select your language Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement". Click Continue Click on the link to download Windows Offline Installation and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. - Examples of older versions in Add or Remove Programs: J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 4 J2SE Runtime Environment 5.0 Update 6 Java(TM) 6 Update 11 Java(TM) 6 Update 2 Java(TM) 6 Update 3 Java(TM) 6 Update 5 Java(TM) 6 Update 7 Java(TM) SE Runtime Environment 6 Update 1 Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run* at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply On your next reply, please include a kaspersky scan log combofix log __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.

05-02-2009, 08:12 PM	#5 (permalink)
nimblefingers Registered User Join Date: Apr 2009 Posts: 13 OS: XP	Re: slow computer / zrexymv.dll is not a valid Windows Image Hello AngelFire777, Thank you for providing the instructions. I have disabled McAfee per your instructions. I ran the ComboFix using the attached script. I have uploaded the file C:\QooBox\Quarantine\[4]-Submit_2009-5-2_10.1.29.zip to the URL at BleepingComputer. I've included the Combofix log below. I corrected the file type association for Outlook. I removed all the Java applications per instructions and installed the runtime directed. I then deleted cache per instructions. I ran the on line scan. I've included the log file: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Saturday, May 2, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Saturday, May 02, 2009 17:38:06 Records in database: 2120851 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ F:\ G:\ H:\ Scan statistics: Files scanned: 470403 Threat name: 8 Infected objects: 11 Suspicious objects: 0 Duration of the scan: 09:08:35 File name / Threat name / Threats count C:\Documents and Settings\Chuck Rolston\My Documents\My Pictures\Chuck Rolston\Desktop\pda\Ad-awareSE_setup.EXE Infected: not-a-virus:NetTool.Win32.PsKill.a 1 C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1 C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1 C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 1 C:\Program Files\Radmin Viewer 3.0\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.30 1 C:\Qoobox\Quarantine\[4]-Submit_2009-5-2_10.1.29.zip Infected: Trojan.Win32.BHO.ext 1 C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 1 F:\Documents and Settings\Chuck Rolston.zip Infected: not-a-virus:NetTool.Win32.PsKill.a 1 F:\Program Files\GIB\01setup.EXE Infected: not-a-virus:Porn-Dialer.Win32.Generic 1 F:\_RESTORE\ARCHIVE\FS2830.CAB Infected: not-a-virus:AdWare.Win32.SaveNow.aa 1 F:\_RESTORE\ARCHIVE\FS2830.CAB Infected: not-a-virus:AdWare.Win32.SaveNow.au 1 The selected area was scanned. Here is the combofig_log.txt ComboFix 09-04-29.07 - Chuck Rolston 05/02/2009 10:01.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.850 [GMT -5:00] Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe Command switches used :: c:\documents and settings\Chuck Rolston\Desktop\CFscript.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Created a new restore point file zipped: c:\windows\system32\bwyxmmx.dll file zipped: c:\windows\system32\drivers\shgffjau.sys file zipped: c:\windows\system32\zrexymv.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bwyxmmx.dll c:\windows\system32\drivers\shgffjau.sys c:\windows\system32\zrexymv.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CDUDF -------\Legacy_SHGFFJAU -------\Legacy_XLSNZYFY -------\Service_cdudf -------\Service_shgffjau -------\Service_XLSNZYFY ((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-5-2 ))))))))))))))))))))))))))))))) . 2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager 2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp 2009-04-26 12:06 . 2009-04-26 12:06 -------- d-----w c:\program files\Smart Projects 2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys 2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc 2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS 2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear 2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF 2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll 2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys 2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys 2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys 2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee 2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee 2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3 2009-04-12 03:50 . 2009-05-01 21:09 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com 2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar 2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys 2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore 2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 15:01 . 2001-08-18 12:00 23424 ----a-w c:\windows\system32\drivers\xflxaufr.sys 2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll 2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java 2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa 2009-04-26 14:47 . 2009-04-30 12:42 171018 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat 2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin 2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech 2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2 2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll 2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-02 15:09 . 2009-05-02 15:09 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat + 2005-09-10 04:42 . 2009-05-02 10:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2005-09-10 04:42 . 2009-05-02 10:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe - 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe + 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe - 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe - 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe + 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840] "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "PreXPSP2ShellProtocolBehavior"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680] R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536] R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744] R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777] R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905] R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676] R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344] S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320] S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872] S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400] S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692] S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433] S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285] --- Other Services/Drivers In Memory --- NewlyCreated - SHGFFJAU . Contents of the 'Scheduled Tasks' folder 2009-05-02 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30] 2009-04-18 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] 2009-04-18 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = localhost uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 10:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1576) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(3748) c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\program files\HGRA\HGRA\FLUtilsSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\HGRA\HGRA\ServiceMgr.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\windows\system32\wscntfy.exe c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE c:\program files\Netropa\OSD.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\progra~1\McAfee\MSC\mcuimgr.exe . ************************************************************************ . Completion time: 2009-05-02 10:18 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-02 15:18 ComboFix2.txt 2009-04-30 12:33 Pre-Run: 7,923,404,800 bytes free Post-Run: 10,457,563,136 bytes free 262 --- E O F --- 2009-04-30 12:01 I reactivated McAfee. nimblefingers.

05-03-2009, 12:28 AM	#6 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,581 OS: Vista	Re: slow computer / zrexymv.dll is not a valid Windows Image Hi, Most of what kaspersky found are all false positives. Do you know what these two files are? F:\Documents and Settings\Chuck Rolston.zip F:\Program Files\GIB\01setup.EXE Open notepad. Copy and paste the text inside the code box below to notepad* Code: File:: c:\windows\system32\drivers\xflxaufr.sys Driver:: SHGFFJAU Save and Name it as "CFScript" Drag and drop CFScript.txt to your copy of combofix. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. how is it running? __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.

05-03-2009, 03:52 PM	#7 (permalink)
nimblefingers Registered User Join Date: Apr 2009 Posts: 13 OS: XP	Re: slow computer / zrexymv.dll is not a valid Windows Image Hello AngelFire777, The file F:\Documents and Settings\Chuck Rolston.zip is a zip archive of my documents folder from a backup archive. The file F:\Program Files\GIB\01setup.EXE I do not recognize. The date on the 01setup.exe says 1/19/2002. Again I do not recognize. I myself would not be concerned about deleting it. What action would you recommend I take? The computer is now working very well. The warning message are now gone. Outlook is working well, no warning messages. Response times seem normal. What type of malware was found? What steps should I take to prevent reoccurance? I ran the combofix with the script provided in the last post. The results are included below. nimblefingers ComboFix 09-04-29.07 - Chuck Rolston 05/03/2009 8:11.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.553 [GMT -5:00] Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe Command switches used :: c:\documents and settings\Chuck Rolston\Desktop\cfscript2.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Created a new restore point FILE :: c:\windows\system32\drivers\xflxaufr.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\xflxaufr.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SHGFFJAU ((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-5-3 ))))))))))))))))))))))))))))))) . 2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager 2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp 2009-04-26 12:06 . 2009-04-26 12:06 -------- d-----w c:\program files\Smart Projects 2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys 2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc 2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS 2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear 2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF 2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll 2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys 2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys 2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys 2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee 2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee 2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3 2009-04-12 03:50 . 2009-05-03 12:22 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com 2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar 2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys 2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore 2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll 2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java 2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa 2009-04-26 14:47 . 2009-04-30 12:42 171018 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat 2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin 2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech 2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2 2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll 2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-03 13:18 . 2009-05-03 13:18 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat + 2005-09-10 04:42 . 2009-05-03 13:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2005-09-10 04:42 . 2009-05-03 13:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe - 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe + 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe - 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe - 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe + 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840] "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "PreXPSP2ShellProtocolBehavior"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680] R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536] R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744] R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777] R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905] R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676] R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344] R3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 19232] R4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285] S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320] S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872] S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400] S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692] S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2005-09-08 109072] S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2005-09-08 671408] S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433] S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632] S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304] . Contents of the 'Scheduled Tasks' folder 2009-05-03 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30] 2009-04-18 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] 2009-04-18 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = localhost uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-03 08:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1576) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll - - - - - - - > 'explorer.exe'(1752) c:\program files\Logitech\MouseWare\System\LgWndHk.dll c:\program files\Logitech\SetPoint\lgscroll.dll c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\program files\HGRA\HGRA\FLUtilsSvc.exe c:\program files\Java\jre6\bin\jqs.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\program files\Common Files\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\HGRA\HGRA\ServiceMgr.exe c:\windows\system32\wscntfy.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE c:\program files\Netropa\OSD.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\progra~1\McAfee\MSC\mcuimgr.exe . ************************************************************************ . Completion time: 2009-05-03 8:27 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-03 13:27 ComboFix2.txt 2009-05-02 15:18 ComboFix3.txt 2009-04-30 12:33 Pre-Run: 8,631,922,688 bytes free Post-Run: 9,686,716,416 bytes free 257 --- E O F --- 2009-04-30 12:01

05-04-2009, 05:06 AM	#8 (permalink)
nimblefingers Registered User Join Date: Apr 2009 Posts: 13 OS: XP	Re: slow computer / zrexymv.dll is not a valid Windows Image Hello Angelfire777, I had a reoccurance of spyware. I received notices from McAfee of win21.banker.fs and a trojan .spy agend.... (didn't write the whole name down) I performed a system restore to 5/3/2009, which was made by combofix during the last run. This seemed to get most of the malware out. I ran full McAfee scan - it didn't find anything. I ran combofix without any scripts. here is the log file. ComboFix 09-04-29.07 - Chuck Rolston 05/04/2009 5:12.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.869 [GMT -5:00] Running from: c:\documents and settings\Chuck Rolston\Desktop\CFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Chuck Rolston\Application Data\~tmp.html c:\windows\system32\wsnpoem c:\windows\system32\wsnpoem\audio.dll.cla . ((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-5-4 ))))))))))))))))))))))))))))))) . 2009-05-04 00:59 . 2009-05-04 01:01 128 --sha-w c:\windows\system32\382453472.dat 2009-05-03 22:55 . 2009-05-04 01:16 -------- d-sh--w C:\RECYCLER(2) 2009-05-02 14:39 . 2009-05-02 14:40 -------- d-----w c:\documents and settings\Chuck Rolston\.SunDownloadManager 2009-04-30 12:04 . 2009-04-30 12:05 -------- d-----w C:\32788R22FWJFW.0.tmp 2009-04-26 12:01 . 2009-04-26 12:01 -------- d-----w c:\program files\7-Zip 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\program files\Spybot - Search & Destroy 2009-04-26 02:00 . 2009-04-26 02:42 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-04-25 02:40 . 2009-04-25 02:43 -------- d-----w c:\program files\Windows Live Safety Center 2009-04-24 11:03 . 2008-02-27 18:49 3840 ----a-w c:\windows\system32\drivers\BANTExt.sys 2009-04-24 11:02 . 2009-04-24 11:02 -------- d-----w c:\program files\Belarc 2009-04-20 00:39 . 2007-06-15 16:28 49904 ----a-r c:\windows\system32\drivers\BVRPMPR5.SYS 2009-04-20 00:38 . 2009-04-20 00:57 -------- d-----w C:\Netgear 2009-04-18 18:59 . 2009-04-18 18:59 -------- d--h--w c:\windows\PIF 2009-04-18 15:53 . 2006-03-03 13:07 143360 ----a-w c:\windows\system32\dunzip32.dll 2009-04-18 15:49 . 2007-11-22 11:44 33832 ----a-w c:\windows\system32\drivers\mferkdk.sys 2009-04-18 15:48 . 2007-12-02 17:51 40488 ----a-w c:\windows\system32\drivers\mfesmfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 35240 ----a-w c:\windows\system32\drivers\mfebopk.sys 2009-04-18 15:48 . 2007-11-22 11:44 79304 ----a-w c:\windows\system32\drivers\mfeavfk.sys 2009-04-18 15:48 . 2007-11-22 11:44 201320 ----a-w c:\windows\system32\drivers\mfehidk.sys 2009-04-18 15:48 . 2007-07-13 11:20 113952 ----a-w c:\windows\system32\drivers\Mpfp.sys 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\McAfee.com 2009-04-18 15:48 . 2009-04-18 15:48 -------- d-----w c:\program files\Common Files\McAfee 2009-04-18 15:48 . 2009-04-20 15:52 -------- d-----w c:\program files\McAfee 2009-04-15 09:50 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-15 09:50 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 09:50 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe 2009-04-15 09:50 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 09:50 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 09:50 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 09:50 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 09:50 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 09:50 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 09:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 09:48 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\program files\EditPlus 3 2009-04-15 00:52 . 2009-04-18 02:57 -------- d-----w c:\documents and settings\Chuck Rolston\Application Data\EditPlus 3 2009-04-12 03:50 . 2009-05-04 01:22 -------- d-----w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\ant.com 2009-04-12 03:33 . 2009-04-12 03:33 -------- d-----w c:\program files\Antbar 2009-04-06 03:14 . 2007-04-13 02:02 5248 ----a-w c:\windows\system32\affhdd.sys 2009-04-06 03:14 . 2009-04-06 03:14 -------- d-----w c:\program files\HDD Capacity Restore 2009-04-05 18:23 . 2009-04-05 18:23 -------- d-----w c:\program files\Western Digital . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 15:01 . 2001-08-18 12:00 23424 ----a-w c:\windows\system32\drivers\xflxaufr.sys 2009-05-02 14:56 . 2008-12-07 13:50 410984 ----a-w c:\windows\system32\deploytk.dll 2009-05-02 14:56 . 2005-09-13 11:07 -------- d-----w c:\program files\Java 2009-04-30 04:50 . 2005-10-05 03:17 -------- d-----w c:\program files\Netropa 2009-04-26 14:47 . 2009-04-30 12:42 171018 ----a-w c:\windows\PCHEALTH\HELPCTR\Config\Cache\Professional_32_1033.dat 2009-04-21 11:55 . 2006-12-03 21:07 -------- d-----w c:\program files\Radmin 2009-04-18 03:25 . 2006-01-18 03:25 -------- d-----w c:\program files\Common Files\Logitech 2009-04-15 00:41 . 2005-10-22 14:41 -------- d-----w c:\program files\EditPlus 2 2009-04-05 18:23 . 2005-09-18 20:59 -------- d--h--w c:\program files\InstallShield Installation Information 2009-03-06 14:22 . 2001-08-18 12:00 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-20 08:10 . 2004-01-08 20:23 666112 ----a-w c:\windows\system32\wininet.dll 2009-02-20 08:10 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll 2009-02-09 12:10 . 2001-08-18 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2005-09-10 04:57 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2001-08-18 12:00 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2001-08-18 12:00 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2001-08-18 12:00 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-08 00:02 . 2001-08-17 13:48 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-06 11:11 . 2001-08-18 12:00 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:08 . 2001-08-18 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe 2009-02-05 05:33 . 2005-09-10 05:23 55744 ----a-w c:\documents and settings\Chuck Rolston\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32.dll 2009-02-03 19:59 . 2001-08-18 12:00 56832 ----a-w c:\windows\system32\secur32(2).dll 2008-08-27 11:46 . 2007-10-14 10:20 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((( SnapShot@2009-04-30_12.26.48 ))))))))))))))))))))))))))))))))))))))))) . + 2009-05-04 10:05 . 2009-05-04 10:05 16384 c:\windows\Temp\Perflib_Perfdata_58c.dat - 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2005-09-10 04:42 . 2009-05-04 06:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2005-09-10 04:42 . 2009-04-30 12:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2005-09-10 04:42 . 2009-05-04 06:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2005-10-23 06:40 . 2009-05-04 01:16 230620 c:\windows\system32\Restore\rstrlog.dat - 2008-12-07 13:50 . 2008-12-07 13:49 148888 c:\windows\system32\javaws.exe + 2009-05-02 14:56 . 2009-05-02 14:56 148888 c:\windows\system32\javaws.exe + 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\javaw.exe - 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\javaw.exe + 2009-05-02 14:56 . 2009-05-02 14:56 144792 c:\windows\system32\java.exe - 2008-12-07 13:50 . 2008-12-07 13:49 144792 c:\windows\system32\java.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "c:\program files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll" [2009-01-16 2596864] [HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3] [HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}] [HKEY_CLASSES_ROOT\TBSB00982.TBSB00982] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-03 67128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-06 180269] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "e360SysTray"="c:\program files\HGRA\HGRA\e360SysTray.exe" [2006-04-12 98304] "DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840] "AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-06-27 643072] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-02 148888] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] c:\documents and settings\Chuck Rolston\Start Menu\Programs\Startup\ Picture Motion Browser Media Check Tool.lnk - f:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-1-9 368640] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-7-2 67128] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-5 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2005-10-4 282624] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "PreXPSP2ShellProtocolBehavior"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 08:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2005-09-08 19:27 24681 ----a-w c:\windows\system32\ckpNotify.dll HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= R2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2003-08-19 115680] R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-02 17536] R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-27 29744] R3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\Drivers\grmn0200.sys [2003-02-14 16777] R3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\Drivers\grmn1200.sys [2002-09-10 12905] R3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2003-06-20 36676] R3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2003-06-20 24344] R3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [2003-06-13 19232] S1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2005-09-08 2234320] S2 BlackICE;BlackICE;c:\program files\Network ICE\BlackICE\blackd.exe [2004-10-29 847872] S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2005-09-08 36400] S2 FiberlinkCommMonitor;FiberlinkComm Monitor Service;c:\program files\HGRA\HGRA\WENGINE\wmonitor.exe [2006-01-13 69692] S2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2005-09-08 109072] S2 VPN-1;VPN-1 Module;c:\windows\System32\drivers\vpn.sys [2005-09-08 671408] S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2003-08-19 9433] S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2003-06-23 149632] S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2003-06-23 554304] S4 black;black;c:\windows\system32\drivers\BlackDrv.sys [2004-09-09 227285] . Contents of the 'Scheduled Tasks' folder 2009-05-04 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-22 18:30] 2009-04-18 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] 2009-04-18 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-18 18:32] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\Chuck Rolston\Application Data\Mozilla\Firefox\Profiles\jp5y81zm.default\ FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true. ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-04 05:17 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1576) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . Completion time: 2009-05-04 5:19 ComboFix-quarantined-files.txt 2009-05-04 10:19 ComboFix2.txt 2009-05-03 13:27 ComboFix3.txt 2009-05-02 15:18 ComboFix4.txt 2009-04-30 12:33 Pre-Run: 10,410,373,120 bytes free Post-Run: 10,408,218,624 bytes free 225 --- E O F --- 2009-04-30 12:01 Last edited by nimblefingers; 05-04-2009 at 05:35 AM.

05-04-2009, 11:42 PM	#9 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,581 OS: Vista	Re: slow computer / zrexymv.dll is not a valid Windows Image Hi, Please avoid doing anything on your own .. I understand that you simply wish to help, I appreciate that but doing a system restore for example may bring us a step back here.. Also, please understand that at this time, your McAfee is bound to find some malware and probably leftover and other harmless files too. If that happens, it helps a lot if you jot down the path and name of the file and include it in your reply .. Thanks! Open notepad. Copy and paste the text inside the code box below to notepad* Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/370301-slow-computer-zrexymv-dll-not-valid-windows-image.html File:: c:\windows\system32\382453472.dat c:\windows\system32\drivers\xflxaufr.sys c:\windows\system32\secur32(2).dll Folder:: C:\RECYCLER(2) Suspect::[55] F:\Program Files\GIB\01setup.EXE Save and Name it as "CFScript" Drag and drop CFScript.txt to your copy of combofix. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. If you do not get a message box, please do the following: There should be a file named [4]-Submit_date@time.zip with today's date, located here: C:\QooBox\Quarantine\[4]-Submit_date@time.zip Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4 Please let me know if you successfully submitted the file. Thanks. __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.

05-07-2009, 03:52 PM	#11 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,581 OS: Vista	Re: slow computer / zrexymv.dll is not a valid Windows Image delete this whole folder: F:\Program Files\GIB how is it running? __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.

05-10-2009, 05:48 PM	#12 (permalink)
nimblefingers Registered User Join Date: Apr 2009 Posts: 13 OS: XP	Re: slow computer / zrexymv.dll is not a valid Windows Image Dear Angelfire777, I deleted the entire folder F:\program files\gib as directed. The computer is working well. Thank you for your assistance. This saved me from a re-format and reload, which would have taken several days and would have been quite disruptive. thanks again,

05-11-2009, 03:37 PM	#13 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Posts: 4,581 OS: Vista	Re: slow computer / zrexymv.dll is not a valid Windows Image Click start > run > copy and paste: combofix /u That will hide your system files, clear your system restore cache and uninstall combofix. Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. Read TonyKlein's How Did I Get Infected In The First Place?. Please check out miekiemoes' "How to Prevent Malware" Happy safe surfing! Note: Please reply to this thread one last time so I could mark it as resolved. __________________ UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.