jpotts

I seem to have some sort of virus but have been unable to detect it with numerous virus/spyware/malware checkers.

First started noticing something fishy when browser links redirected to various unintended sites. About the same time I noticed the my McAfee virus scanner continually failed to update. Several locations on McAfee's site intended to help determine my problem also fail to load in my browser.

I've tried several other free/demo virus scanners and spyware checkers but most require a download on or after setup which ends up failing just like McAfee.

I have several computers at home so I've been able to get around some of the download problems by downloading from a clean computer then copying over to my infected one. That's only gotten me so far though and none of it really seems to have made an impact.

In addition to the behavior described above, several applications are being blocked from executing. This includes regedit.exe and cmd.exe as well as both the DDS and GMER utilities this site's instructions state need to be run before posting.

I've learned that if I rename the files to something different (I've been putting underscores between all the characters) then the apps will run. That at least got me to the point where I could generate the required logs needed for this post.

I've been working on fixing this for days myself. I hate having bug someone else when there's a chance I can fix the problem on my own. I'm pretty much out of things to try myself though so here I am.

Here's My DDS log and the requested attach.zip file attached. I'd really appreciate any help you can provide.

Thanks!

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jessie Potts at 17:21:25.89 on Sat 04/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.195 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
C:\PROGRA~1\COMMON~1\MICROW~1\Agent\MWAgent.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jessie Potts\Desktop\d_d_s.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/home.html
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://h20239.www2.hp.com/techcenter/HP_SystemCheck/hp_syscheck.htm
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\jessie~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\$mcreb~1.lnk - c:\windows\system32\cmd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174881348375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessie~1\applic~1\mozilla\firefox\profiles\yrgl3ryi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

S3 econceal;MicroWorld Technologies Network Service;c:\windows\system32\drivers\econceal.sys --> c:\windows\system32\drivers\econceal.sys [?]

=============== Created Last 30 ================

2009-04-23 18:46 389,120 a------- c:\windows\system32\c_m_d.exe
2009-04-22 20:25 146,432 a------- c:\windows\r_e_g_e_d_i_t.exe
2009-04-20 20:12 6,123,637 a------- c:\windows\REGBK00.ZIP
2009-04-20 19:42 245,896 -------- c:\windows\system32\drivers\bdfsfltr.sys
2009-04-20 19:40 <DIR> --d----- c:\docume~1\jessie~1\applic~1\MicroWorld
2009-04-20 19:38 106,756 a------- c:\windows\winsbak2.reg
2009-04-20 19:38 14,866 a------- c:\windows\winsbak.reg
2009-04-20 19:38 211 a------- C:\bootini.ins
2009-04-20 19:37 118,784 a------- c:\windows\killproc.exe
2009-04-20 19:36 1,105,920 a------- c:\windows\system32\contfilt.dll
2009-04-20 19:36 176,128 a------- c:\windows\system32\mwnsp.dll
2009-04-20 19:36 130,560 a------- c:\windows\system32\ZIPDLL.DLL
2009-04-20 19:36 125,440 a------- c:\windows\system32\UNZDLL.DLL
2009-04-20 19:36 8,464 a------- c:\windows\system32\sporder.dll
2009-04-20 19:36 8,464 a------- c:\windows\sporder.dll
2009-04-20 19:36 8,192 a------- c:\windows\sporder.exe
2009-04-20 19:35 524,288 a------- c:\windows\system32\mwtsp.dll
2009-04-20 19:35 226,816 a------- c:\windows\inst_tspx.exe
2009-04-20 19:35 65,536 a------- c:\windows\inst_tsp.exe
2009-04-20 07:56 <DIR> a-d----- c:\windows\system32\runouce.exe
2009-04-20 07:54 28 a------- c:\windows\Lic.xxx
2009-04-20 07:53 626,688 a------- c:\windows\system32\msvcr80.dll
2009-04-20 07:53 548,864 a------- c:\windows\system32\msvcp80.dll
2009-04-20 07:53 522 a------- c:\windows\system32\Microsoft.VC80.CRT.manifest
2009-04-20 07:53 146,432 a------- c:\windows\REGEDIT.COM
2009-04-20 07:53 146,432 a------- c:\windows\R.COM
2009-04-20 07:53 135,680 a------- c:\windows\system32\TASKMGR.COM
2009-04-20 07:53 135,680 a------- c:\windows\system32\T.COM
2009-04-20 07:53 <DIR> --d----- c:\program files\common files\MicroWorld
2009-04-20 07:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MicroWorld
2009-04-19 22:15 <DIR> --d----- c:\documents and settings\jessie potts\.housecall6.6
2009-04-19 18:04 <DIR> --d----- c:\docume~1\jessie~1\applic~1\Malwarebytes
2009-04-19 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-18 12:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-18 10:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-18 10:45 <DIR> --d----- c:\program files\common files\iS3
2009-04-18 10:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-12 15:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-12 15:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-12 15:46 <DIR> --d----- c:\docume~1\jessie~1\applic~1\McAfee

==================== Find3M ====================

2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 03:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 03:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 22:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 05:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 05:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 05:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 05:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 04:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:39 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-02-06 03:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 03:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 12:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2007-08-22 19:59 330 a------- c:\docume~1\jessie~1\applic~1\wklnhst.dat
2006-11-20 02:33 22 a--sh--- c:\windows\sminst\HPCD.sys
2008-09-13 03:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091320080914\index.dat

============= FINISH: 17:21:34.92 ===============

Attached Files

Attach.zip (4.1 KB, 3 views)

Angelfire777

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

jpotts

Thanks for your help Angelfire.

Here's the contents of c:\ComboFix.txt:

ComboFix 09-04-27.02 - Jessie Potts 04/27/2009 19:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.202 [GMT -7:00]
Running from: c:\documents and settings\Jessie Potts\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-26 20:14 . 2009-04-26 20:17 -------- d--h--w C:\$AVG8.VAULT$
2009-04-24 02:19 . 2009-04-24 02:19 -------- d-----w c:\program files\Alwil Software
2009-04-24 01:46 . 2008-04-14 00:12 389120 ----a-w c:\windows\system32\c_m_d.exe
2009-04-23 04:29 . 2009-04-23 05:46 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-23 03:25 . 2008-04-14 00:12 146432 ----a-w c:\windows\r_e_g_e_d_i_t.exe
2009-04-21 03:12 . 2009-04-21 03:13 6123637 ----a-w c:\windows\REGBK00.ZIP
2009-04-21 02:42 . 2009-02-04 00:14 245896 ------w c:\windows\system32\drivers\bdfsfltr.sys
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\documents and settings\Jessie Potts\Local Settings\Application Data\Identities
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\documents and settings\Jessie Potts\Application Data\MicroWorld
2009-04-21 02:37 . 2009-04-14 23:35 118784 ----a-w c:\windows\killproc.exe
2009-04-21 02:36 . 2009-04-14 23:47 1105920 ----a-w c:\windows\system32\contfilt.dll
2009-04-21 02:36 . 2009-04-14 23:55 176128 ----a-w c:\windows\system32\mwnsp.dll
2009-04-21 02:36 . 2005-04-03 20:08 8464 ----a-w c:\windows\system32\sporder.dll
2009-04-21 02:36 . 2005-04-03 20:08 8464 ----a-w c:\windows\sporder.dll
2009-04-21 02:36 . 1997-09-18 13:12 8192 ----a-w c:\windows\sporder.exe
2009-04-21 02:36 . 2005-10-10 01:53 125440 ----a-w c:\windows\system32\UNZDLL.DLL
2009-04-21 02:36 . 2000-04-04 05:00 130560 ----a-w c:\windows\system32\ZIPDLL.DLL
2009-04-21 02:35 . 2009-04-14 23:57 524288 ----a-w c:\windows\system32\mwtsp.dll
2009-04-21 02:35 . 2009-04-14 23:47 226816 ----a-w c:\windows\inst_tspx.exe
2009-04-21 02:35 . 2009-04-14 23:57 65536 ----a-w c:\windows\inst_tsp.exe
2009-04-20 14:56 . 2009-04-20 14:56 -------- d---a-w c:\windows\system32\runouce.exe
2009-04-20 14:53 . 2009-04-20 14:53 626688 ----a-w c:\windows\system32\msvcr80.dll
2009-04-20 14:53 . 2009-04-20 14:53 548864 ----a-w c:\windows\system32\msvcp80.dll
2009-04-20 14:53 . 2008-04-14 00:12 135680 ----a-w c:\windows\system32\T.COM
2009-04-20 14:53 . 2008-04-14 00:12 146432 ----a-w c:\windows\R.COM
2009-04-20 14:53 . 2009-04-21 02:39 -------- d-----w c:\program files\Common Files\MicroWorld
2009-04-20 14:53 . 2009-04-23 03:23 -------- d-----w c:\documents and settings\All Users\Application Data\MicroWorld
2009-04-20 05:15 . 2009-04-20 05:20 -------- d-----w c:\documents and settings\Jessie Potts\.housecall6.6
2009-04-20 01:04 . 2009-04-20 01:04 -------- d-----w c:\documents and settings\Jessie Potts\Application Data\Malwarebytes
2009-04-20 01:04 . 2009-04-20 01:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-19 06:05 . 2009-04-19 06:05 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2009-04-18 19:28 . 2009-04-18 19:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-18 17:46 . 2009-04-20 00:40 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-18 17:45 . 2009-04-18 17:45 -------- d-----w c:\program files\Common Files\iS3
2009-04-18 17:45 . 2009-04-20 01:06 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-18 16:42 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 16:42 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 16:42 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 16:42 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 16:42 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 16:42 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 16:42 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 16:42 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 16:42 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 16:42 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 16:42 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 16:42 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:44 . 2009-04-13 00:44 -------- d-----w c:\documents and settings\LocalService\Application Data\McAfee
2009-04-12 22:49 . 2009-04-12 22:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-12 22:49 . 2009-04-12 23:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-12 22:46 . 2009-04-25 21:23 -------- d-----w c:\documents and settings\Jessie Potts\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 02:38 . 2009-04-21 02:38 14866 ----a-w c:\windows\winsbak.reg
2009-04-21 02:38 . 2009-04-21 02:38 106756 ----a-w c:\windows\winsbak2.reg
2009-04-18 19:27 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-03-21 07:38 . 2009-03-21 07:37 -------- d-----w c:\program files\iTunes
2009-03-21 07:38 . 2009-03-21 07:38 -------- d-----w c:\program files\iPod
2009-03-21 07:38 . 2007-07-25 04:16 -------- d-----w c:\program files\Common Files\Apple
2009-03-21 07:35 . 2009-03-21 07:35 -------- d-----w c:\program files\QuickTime
2009-03-06 14:22 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 21:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 21:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 21:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 21:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 21:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 21:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 21:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 21:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-11-20 09:33 . 2006-11-20 09:33 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-18 136600]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-06-23 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\Jessie Potts\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 econceal;MicroWorld Technologies Network Service; [x]

.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uInternet Connection Wizard,ShellNext = hxxp://h20239.www2.hp.com/techcenter/HP_SystemCheck/hp_syscheck.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Jessie Potts\Application Data\Mozilla\Firefox\Profiles\yrgl3ryi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???@O??????`?@?????L?@

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-04-28 19:09
ComboFix-quarantined-files.txt 2009-04-28 02:08

Pre-Run: 32,789,635,072 bytes free
Post-Run: 32,931,082,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /Execute /fastdetect

180 --- E O F --- 2009-04-19 18:46

Angelfire777

Hi,

Do you remember modifying the contents of "BootExecute" in HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager (ie. to stop chkdsk from running automatically when it detects a bad shutdown?)

I'm also going to rename cmd and regedit back to their original names for you.


*Open notepad.
Copy and paste the text inside the code box below to notepad

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.


*One reason why you were infected is because you have no antivirus running onboard. Having no antivirus these days is an open invitation for malware to enter your system.

You are basically vulnerable to all sorts of malware. Cleaning will be useless if you have no active protection because you'll only be infected again immediately.

That's why before we continue further, I want you to install, update, and scan with an antivirus -

Avira Antivir: http://www.free-av.com


*Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13".
• Click the "Download" button to the right.
• For Platform, select "Windows"
• For language, select your language
• Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
• Click Continue
• Click on the link to download Windows Offline Installation and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • J2SE Runtime Environment 5.0 Update 10
  • J2SE Runtime Environment 5.0 Update 11
  • J2SE Runtime Environment 5.0 Update 6
  • Java(TM) 6 Update 11
  • Java(TM) 6 Update 2
  • Java(TM) 6 Update 3
  • Java(TM) 6 Update 5
  • Java(TM) 6 Update 7
  • Java(TM) SE Runtime Environment 6 Update 1
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

*Next, it's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

On your next reply, please include a

• kaspersky scan log
• combofix log

jpotts

Thanks for the continued help!

No, I do not recall modifing the contents of BootExecute. I would have no need to do so.

The next combofix log is below.

I should note that I wasn't infected due to a lack of antivirus software. At the time I was infected I had McAfee installed which comes with my comcast broadband. It had been installed for over a year and configured to update automatically.

After realizing I was infected and that I was unable to obtain McAfee updates, I uninstalled it and tried several more antivirus tools including avast and avg free. There were others too but I don't recall the names offhand. After each one failed to work for me, I uninstalled them.

The last one I uninstalled immediately prior to running the utilities you requested I run. I figured the best way to ensure there was no interference was to remove the tools that didn't work.

Eventually I'd like to reinstall McAfee but for now I plan on keeping exactly with your direction as I really appreciate your help.

Here's that log I mentioned, by the time you read it I should have free-av and the latest java updates installed.

Thanks again!



ComboFix 09-04-27.02 - Jessie Potts 04/28/2009 23:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.144 [GMT -7:00]
Running from: c:\documents and settings\Jessie Potts\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jessie Potts\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\killproc.exe
c:\windows\R.COM
c:\windows\system32\runouce.exe
c:\windows\system32\T.COM
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\killproc.exe
c:\windows\R.COM
c:\windows\system32\T.COM

.
--------------- FMove ---------------

c:\windows\system32\c_m_d.exe --> c:\windows\system32\cmd.exe
c:\windows\r_e_g_e_d_i_t.exe --> c:\windows\regedit.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_econceal


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-26 20:14 . 2009-04-26 20:17 -------- d--h--w C:\$AVG8.VAULT$
2009-04-24 02:19 . 2009-04-24 02:19 -------- d-----w c:\program files\Alwil Software
2009-04-23 04:29 . 2009-04-23 05:46 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-04-21 03:12 . 2009-04-21 03:13 6123637 ----a-w c:\windows\REGBK00.ZIP
2009-04-21 02:42 . 2009-02-04 00:14 245896 ------w c:\windows\system32\drivers\bdfsfltr.sys
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\documents and settings\Jessie Potts\Local Settings\Application Data\Identities
2009-04-21 02:40 . 2009-04-21 02:40 -------- d-----w c:\documents and settings\Jessie Potts\Application Data\MicroWorld
2009-04-21 02:36 . 2009-04-14 23:47 1105920 ----a-w c:\windows\system32\contfilt.dll
2009-04-21 02:36 . 2009-04-14 23:55 176128 ----a-w c:\windows\system32\mwnsp.dll
2009-04-21 02:36 . 2005-04-03 20:08 8464 ----a-w c:\windows\system32\sporder.dll
2009-04-21 02:36 . 2005-04-03 20:08 8464 ----a-w c:\windows\sporder.dll
2009-04-21 02:36 . 1997-09-18 13:12 8192 ----a-w c:\windows\sporder.exe
2009-04-21 02:36 . 2005-10-10 01:53 125440 ----a-w c:\windows\system32\UNZDLL.DLL
2009-04-21 02:36 . 2000-04-04 05:00 130560 ----a-w c:\windows\system32\ZIPDLL.DLL
2009-04-21 02:35 . 2009-04-14 23:57 524288 ----a-w c:\windows\system32\mwtsp.dll
2009-04-21 02:35 . 2009-04-14 23:47 226816 ----a-w c:\windows\inst_tspx.exe
2009-04-21 02:35 . 2009-04-14 23:57 65536 ----a-w c:\windows\inst_tsp.exe
2009-04-20 14:56 . 2009-04-20 14:56 -------- d---a-w c:\windows\system32\runouce.exe
2009-04-20 14:53 . 2009-04-20 14:53 626688 ----a-w c:\windows\system32\msvcr80.dll
2009-04-20 14:53 . 2009-04-20 14:53 548864 ----a-w c:\windows\system32\msvcp80.dll
2009-04-20 14:53 . 2009-04-21 02:39 -------- d-----w c:\program files\Common Files\MicroWorld
2009-04-20 14:53 . 2009-04-23 03:23 -------- d-----w c:\documents and settings\All Users\Application Data\MicroWorld
2009-04-20 05:15 . 2009-04-20 05:20 -------- d-----w c:\documents and settings\Jessie Potts\.housecall6.6
2009-04-20 01:04 . 2009-04-20 01:04 -------- d-----w c:\documents and settings\Jessie Potts\Application Data\Malwarebytes
2009-04-20 01:04 . 2009-04-20 01:04 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-19 06:05 . 2009-04-19 06:05 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2009-04-18 19:28 . 2009-04-18 19:27 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-18 17:46 . 2009-04-20 00:40 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-04-18 17:45 . 2009-04-18 17:45 -------- d-----w c:\program files\Common Files\iS3
2009-04-18 17:45 . 2009-04-20 01:06 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-04-18 16:42 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-18 16:42 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-18 16:42 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-18 16:42 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-18 16:42 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-18 16:42 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 16:42 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 16:42 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 16:42 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-18 16:42 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-18 16:42 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-18 16:42 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 00:44 . 2009-04-13 00:44 -------- d-----w c:\documents and settings\LocalService\Application Data\McAfee
2009-04-12 22:49 . 2009-04-12 22:49 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-12 22:49 . 2009-04-12 23:19 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-12 22:46 . 2009-04-25 21:23 -------- d-----w c:\documents and settings\Jessie Potts\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 02:38 . 2009-04-21 02:38 14866 ----a-w c:\windows\winsbak.reg
2009-04-21 02:38 . 2009-04-21 02:38 106756 ----a-w c:\windows\winsbak2.reg
2009-04-18 19:27 . 2006-08-19 08:16 -------- d-----w c:\program files\Java
2009-03-21 07:38 . 2009-03-21 07:37 -------- d-----w c:\program files\iTunes
2009-03-21 07:38 . 2009-03-21 07:38 -------- d-----w c:\program files\iPod
2009-03-21 07:38 . 2007-07-25 04:16 -------- d-----w c:\program files\Common Files\Apple
2009-03-21 07:35 . 2009-03-21 07:35 -------- d-----w c:\program files\QuickTime
2009-03-06 14:22 . 2004-08-04 21:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 21:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 21:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 21:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 21:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 21:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 21:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 21:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-04 21:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 21:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 21:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 21:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 21:00 56832 ----a-w c:\windows\system32\secur32.dll
2006-11-20 09:33 . 2006-11-20 09:33 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_02.07.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 06:32 . 2009-04-29 06:32 16384 c:\windows\temp\Perflib_Perfdata_76c.dat
+ 2004-08-04 21:00 . 2008-04-14 00:12 146432 c:\windows\system32\dllcache\regedit.exe
+ 2004-08-04 21:00 . 2008-04-14 00:12 389120 c:\windows\system32\dllcache\cmd.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-18 136600]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-06-23 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-02 135168]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952]

c:\documents and settings\Jessie Potts\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - c:\program files\OpenOffice.org 2.0\program\quickstart.exe [2005-12-14 61440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
Contents of the 'Scheduled Tasks' folder

2009-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/home.html
uInternet Connection Wizard,ShellNext = hxxp://h20239.www2.hp.com/techcenter/HP_SystemCheck/hp_syscheck.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jessie Potts\Application Data\Mozilla\Firefox\Profiles\yrgl3ryi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 23:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ??? [??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\COMMON~1\MICROW~1\Agent\MWASER.EXE
c:\progra~1\COMMON~1\MICROW~1\Agent\MWAGENT.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\OpenOffice.org 2.0\program\soffice.exe
c:\program files\OpenOffice.org 2.0\program\soffice.bin
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-29 23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 06:35
ComboFix2.txt 2009-04-28 02:10

Pre-Run: 32,976,052,224 bytes free
Post-Run: 32,897,507,328 bytes free

204 --- E O F --- 2009-04-19 18:46

Angelfire777

You can install McAfee as opposed to Avira if you wish to do so. Only reason why I asked you to install Avira was because I thought you didn't have any Antivirus at all.

I would need the kaspersky scan results before we continue.

jpotts

Sorry for the delay on this. The Kaspersky scan took longer than I expected. The log is below.

Earlier you asked if I remember modifying the contents of BootExecute. I know I didn't directly but I think I may know how i got modified. The Avast Home Edition anti-virus software that I had previously installed before seeking your help has a boot-time scan. My guess is they accomplish this through the modificatino of this registry entry.

Thanks again for your help!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 23:15:23
Records in database: 2101635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
M:\
P:\

Scan statistics:
Files scanned: 68630
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:11:09


File name / Threat name / Threats count
C:\Documents and Settings\Jessie Potts\My Documents\My Downloads\tightvnc-1.3.8-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1

The selected area was scanned.

Angelfire777

Hi,

Thing is.. there's nothing in your bootexecute key, the contents were deleted somehow ..

*Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.


*then, delete this folder please. I think it was created by e-scan or mwav

c:\windows\system32\runouce.exe


let me know how's it running.

jpotts

Seems to be working well. I'm interested in knowing what, if any, the specific virus/malware what that was causing all my headache.

Updating the JRE seamed to make the most difference but I can't believe that just having an older version would cause what I was experiencing.

I decided to stick with Avira for now unless you'd recommend me changing back to McAfee. I have McAfee installed on two different Win2k machines and haven't had a problem. Don't know if the OS has anything to do with it or just the fact that this laptop is sort of a public portal I keep out in the front room and gets used for who-knows-what.

I was really close to scrapping XP altogether and installing a fresh instance of Ubuntu. I have that installed on a couple of machines and I like it a lot. The main reason I didn't is that this is the only XP machine I have. I bought the machine pre-installed with XP. I don't have disks to reinstall and I wasn't quite ready to give it up.

It looks like I don't have to mess with the OS switch now.

Thank you very much for your help.

Angelfire777

Hi,

When you came here for help, you've cleaned most of the malware yourself, only the remnants were left so I can't exactly pinpoint which kind you had.

To be honest, this is that first time I've seen this but I highly doubt that Java has anything to do with the issues you're having.


I would go for Avira.

1. Better detections
2. Less resource hog

Thing is, it's not the OS, or the AV. Nothing beats the protection of safe surfing habits. If this computer is as you say, "public portal" then that may be it.

It'll be a good idea to read the following articles that I'll show you and make sure you "educate" the users of that computer too. You will only be helped once here so, make sure you surf safe.


Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Read TonyKlein's How Did I Get Infected In The First Place?.

Please check out miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.

jpotts

Thanks for all your help!