Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Computer won't connect to Internet yet skype works

This is a discussion on Computer won't connect to Internet yet skype works within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Note: Previously posted in Network issues, and now posted here after discovering malware. Hello folks, I have searched and searched


Closed Thread
 
Thread Tools Search this Thread
Old 10-22-2009, 08:34 AM   #1
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Note: Previously posted in Network issues, and now posted here after discovering malware.

Hello folks,

I have searched and searched and have found the above problem many times but not with the same symptoms as mine.

I have been trying to fix it and may have made things worse.

This is my brother-in-laws computer. He had it at home and I think the browser was hijacked, as he installed some strange toolbar (starwon or something) and I searched it, it was malware I think, at that time he got a new computer so we just ignored it really.
Then he moved said computer to work, skype worked fine as did email through outlook, so although I had promised to try to get web working, I hadn't managed it. I had installed google chrome, but that didn't work either.

At this point, brother-in-law gets new version of office to have word 2007, and gets me to install it, in doing so, it came up with an error about a file not found on the cd (all originals with serials), I search the error, seems common, answer is to uninstall old version first, rather than attempt to update.

Of course I didn't realise that this new version doesn't have outlook on it, and so he loses all his files and now outlook express can't get his emails. It can't find the incoming server, or outgoing.

So that's were I am now. My mac works fine in his office, we are both plugged directly into wall. I can't seem to ping anything from his computer, but I'm not a tech. Just a pretendy tech.

From advice in network issues I installed malwarebytes, it found 160 or so infections and quarantined them, I also tried resetting the TCP/IP stack and WINSOCK entries to default without it making a difference.

The computer can't connect to the internet to update malwarebytes or similar, but skype works fine. No browser is currently working.

I'm attaching said logs from the sticky and hope I've given you all the information you need, thanks for your hard work here.

It's running Windows XP Home SP3. There shouldn't be any cracked software on it to the best of my knowledge and no P2P though in the past I think it had bittorrent.

I have started without any startup items - nothing, I have also rebooted in safe mode, again, no connection, only skype.

To the best of my knowledge the malware came from 'Starware'. I can also post the malwarebytes log if wanted.

Thanks again.

Damian




DDS (Ver_09-10-13.01) - NTFSx86
Run by user at 14:19:46.10 on 22/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.129 [GMT 1:00]

FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Activesync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
D:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Sony\vaio entertainment\VzTrayIcon.exe
D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Sony\VAIO Launcher\Launcher.exe
C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\user\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.club-vaio.sony-europe.com/
mDefault_Page_URL = hxxp://www.club-vaio.sony-europe.com/
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "d:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [PaperPort PTD] c:\program files\dell\dell laser mfp 1600n\paperport\pptd40nt.exe
mRun: [P3000x_S2P] c:\program files\dell\dell laser mfp 1600n\psu\ScanToPc.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IndexSearch] c:\program files\dell\dell laser mfp 1600n\paperport\IndexSearch.exe
mRun: [DLCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCQtime.dll,[email protected]
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - d:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\vaiola~1.lnk - c:\program files\sony\vaio launcher\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\sony\vaio entertainment\VzTrayIcon.exe
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\micros~2\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\bltee0ai.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.ie

============= SERVICES / DRIVERS ===============

R2 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [2004-8-24 14336]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [2009-2-24 31744]
S3 pnicml;pnicml;c:\docume~1\user\locals~1\temp\pnicml.sys [2004-9-26 31744]

=============== Created Last 30 ================

2009-10-22 13:39 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-10-22 13:39 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 13:39 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-22 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-15 16:02 <DIR> --d----- c:\windows\pss
2009-10-12 15:50 0 a------- C:\winamp.ini
2009-10-12 15:27 32,592 a------- c:\windows\system32\msonpmon.dll
2009-10-12 15:22 <DIR> --d----- c:\windows\SHELLNEW
2009-10-02 09:07 7,680 a--sh--- c:\windows\Thumbs.db

==================== Find3M ====================

2009-10-08 12:50 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-25 13:32 56 ---shr-- c:\windows\system32\4595FEC21B.sys
2008-11-02 17:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110220081103\index.dat

============= FINISH: 14:20:16.00 ===============
Attached Files
File Type: zip attach.zip (3.8 KB, 16 views)
File Type: txt DDS.txt (7.8 KB, 20 views)
DamianIreland is offline  
Sponsored Links
Advertisement
 
Old 10-25-2009, 02:17 PM   #2
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Bump please,
and forgot to say, no, I don't think brother-in-law has install disks. It's a Viao and everything came pre-installed as far as I know. He has no idea of course!.

Regards,
d.
DamianIreland is offline  
Old 10-25-2009, 08:47 PM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello DamianIreland,

Yes, please post the results of the Malwarebytes scan.

Also, open the device manager - Click Start>Run and type the following bolded text into the Run box and click OK:

devmgmt.msc

Do you see any yellow exclamation marks?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Sponsored Links
Advertisement
 
Old 10-27-2009, 08:03 AM   #4
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



I had to do this with my brother-in-law through skype:
He opened the device manager as instructed, and saw no yellow exclamation marks (I think I've looked there before also, everything seemed to be thinking it was working when I looked), he did describe a yellow question mark directly under the view option in the toolbar, when he put the mouse on it it came up as a help dialogue box, I presume this isn't what we were looking for. The Malwarebyte log file is below.
Just so I'm not breaking any rules or wasting time, I'll let it be known that I've been asked to run some simple network tests by someone on the network forum where I originally posted this before discovering the malware and being told to post it here. I won't be able do them for a few days anyway as I'm away and busy when I get back, but if there's anything that can be discovered from the malwarebyte log, then that's great, and any help is appreciated. He's pretty stuck without his email at work, his latest idea is to install windows 7, as he thinks this may fix everything...

Perhaps it's a good idea, but he'll of course lose everything also... and I suspect it may not even fix everything, but I wouldn't know of course!

Many thanks again,
Damian


Malwarebyte Log File:


Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

22/10/2009 13:45:28
mbam-log-2009-10-22 (13-45-28).txt

Scan type: Quick Scan
Objects scanned: 101541
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 35
Files Infected: 95

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5f90c0e3-4c0a-4d54-a8ac-5afe6163a99e} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ab3dfa03-f743-4302-81dd-c370bffeca23} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e550dc77-ef3b-474f-b59c-b3e2aa1fa6a5} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internetgamebox (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{d3253271-7537-4074-8c0c-271b64154805} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1758b8dd-8ece-435f-9036-b0554a784b1d} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e11bf42b-035d-4cc2-ab08-b040994e81f4} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ef242ebd-5dab-4f5c-8dee-2eea4fa056cd} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a7793de-2598-4fa8-9ec5-9442cde5e1cc} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a7793de-2598-4fa8-9ec5-9442cde5e1cc} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2c70f37f-144a-49b4-bc53-3cb658e6d247} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\starware343 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IGB (Rogue.Residue) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\starware343 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\IGB (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\InternetGameBox.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zangotoolbar 4.8.3 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\BrowserSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Configurator (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Dating (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ErrorSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Free_Credit_Score (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Manager (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Map_It (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Reference (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\RelatedSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Ringtones (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ToolbarLogo (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ToolbarSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\TravelSearch (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Weather (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\favoris (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\skins (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\Ready (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\temp (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\Upload (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware343\bin (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware343\icons (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\user\Local Settings\Application Data\uharswsaq_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Application Data\uharswsaq_nav.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Application Data\uharswsaq.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Program Files\Starware343\bin\Starware343.dll (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\702_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\702_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Dating0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Free_Credit_Score0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Reference.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\ReferenceHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\referencehotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\referencexp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Ringtones0.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\WeatherHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts\Related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\contexts\Travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\clear.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\cloudy.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\nclear.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\pcloud.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\rain.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\snow.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\images\walertXP.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\ProductMessagingConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\ProductMessagingConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\SimpleUpdateConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\SimpleUpdateConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\TimerManagerConfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware343\SimpleUpdate\TimerManagerConfig.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\BrowserSearch\BrowserSearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\BrowserSearch\BrowserSearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Configurator\Configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Configurator\Configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Dating\DatingOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Dating\DatingOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ErrorSearch\ErrorSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ErrorSearch\ErrorSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Free_Credit_Score\Free_Credit_ScoreOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Free_Credit_Score\Free_Credit_ScoreOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Layouts\ToolbarLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Layouts\ToolbarLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Layouts\WeatherLayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Layouts\WeatherLayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Manager\ManagerOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Manager\ManagerOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Map_It\Map_ItOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Map_It\Map_ItOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Reference\ReferenceOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Reference\ReferenceOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\RelatedSearch\RelatedSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\RelatedSearch\RelatedSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Ringtones\RingtonesOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Ringtones\RingtonesOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Toolbar\TBProductsOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Toolbar\TBProductsOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ToolbarLogo\ToolbarLogoOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ToolbarLogo\ToolbarLogoOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ToolbarSearch\ToolbarSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\ToolbarSearch\ToolbarSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\TravelSearch\TravelSearchOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\TravelSearch\TravelSearchOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Weather\AlertArchive.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Weather\AlertArchive.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Weather\WeatherOptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\Starware343\Weather\WeatherOptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\InternetGameBox.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\language (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\Privacy Policy.url (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\Terms and conditions.url (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\uninst.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\Website.url (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\AttenteOff.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\AttenteOn.html (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\configv2_en.xml (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\configv2_es.xml (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\configv2_fr.xml (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\ressources\favoris\defaultv2.swf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\InternetGameBox\skins\skinv2.skn (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\iebyterange.xml (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\iebyterange.xml.backup (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Screensavers.com\SSSInst\bin\SSSUninst.exe (Adware.Comet) -> Quarantined and deleted successfully.
C:\Program Files\Starware343\Starware343Config.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware343\Starware343Uninstall.exe (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware343\icons\star_16.ico (Adware.Starware) -> Quarantined and deleted successfully.
DamianIreland is offline  
Old 10-27-2009, 08:29 AM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thanks, I did find and read your thread in the Networking section. :)

All that stuff was mostly adware - nothing major. One entry has caught my eye and due to its presence, I feel it would be prudent to run ComboFix at this point.


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review and an update on system behavior.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 10-27-2009, 09:40 AM   #6
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Hi Reid,
Many thanks, I'll do that, however there's a strong possibility that it won't be able to download the MS Windows Recovery Console.

I can download combifix and transfer it via USB no probs, but it may not be able to access net for it's own download, as Malwarebytes etc weren't able to. Shall I just proceed anyway? Obviously, you can't take responsibility or say what's going to happen, and I have important documents backed up, so if it were you, would you just go ahead with it? or should I try to install MS Windows recovery console via USB also?

Best regards,
Damian
DamianIreland is offline  
Old 10-27-2009, 11:44 AM   #7
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Let's play it safe and download the package you need to the usb stick. The instructions shall then be as follows:

Go to Microsoft's website => https://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools



  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-04-2009, 08:41 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Are you still with me Damian?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-05-2009, 06:43 AM   #9
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Hi Reid,
Sorry for the delay, I most certainly am with you, but couldn't get into my brother-in-law's (hereafter referred to as BIL!) computer until today.

I had a small bit of trouble, download the recovery package, as it was named boot-up disk, i doubted it was the correct file, and as I'm used to working with a mac now, my click and drag copied over what appeared to be some sort of shortcut rather than the file itself, and so that didn't work properly when dragged onto the combofix file (a technique that also confused me because I hadn't seen that on a PC before, the dragging a file onto a file), anyway, this resulted in me eventually running combofix without the recovery package, until I discovered said mistakes and ran it again with it installed.

I have two reports thus, I'll just post the second.

Finally, at the running of the prog it said 'The date is , combofix has expired and will run at limited funcionality,'
or something to that effect.

Anyways, here's the report after all that!

ComboFix 09-10-26.06 - user 05/11/2009 13:24.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.173 [GMT 0:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 13:19 . 2009-11-05 13:19 -------- d--h--w- c:\windows\PIF
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 14:27 . 2006-10-26 18:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-12 14:22 . 2009-10-12 14:23 -------- d-----w- c:\windows\SHELLNEW
2009-10-12 12:59 . 2009-10-12 12:59 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2009-10-12 12:58 . 2009-10-14 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 13:23 . 2006-05-26 16:19 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-10-26 08:02 . 2006-04-02 11:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-10-22 13:17 . 2007-07-22 00:30 -------- d-----w- c:\program files\Opera Software
2009-10-22 08:34 . 2007-05-18 14:30 -------- d-----w- c:\program files\Dl_cats
2009-10-15 15:58 . 2008-01-08 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 15:53 . 2008-01-08 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 10:50 . 2006-03-09 10:46 71376 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 10:49 . 2004-08-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-10-12 14:51 . 2004-08-24 22:01 -------- d-----w- c:\program files\Sony
2009-10-12 14:51 . 2004-08-24 22:15 -------- d-----w- c:\program files\Google
2009-10-12 14:50 . 2006-03-09 10:59 -------- d-----w- c:\program files\MoodLogic
2009-10-12 14:50 . 2006-05-31 18:15 -------- d-----w- c:\program files\Disney Interactive
2009-10-12 14:49 . 2006-07-21 18:37 -------- d-----w- c:\program files\THQ
2009-10-12 14:49 . 2004-08-24 21:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 14:48 . 2006-03-09 10:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 14:46 . 2007-05-18 14:26 -------- d-----w- c:\program files\Corel
2009-10-12 14:26 . 2006-03-09 11:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 14:24 . 2007-07-22 23:46 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 14:18 . 2006-05-26 16:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-08 11:50 . 2007-05-27 17:27 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-13 13:10 . 2009-08-13 13:10 0 ----a-w- C:\LOG4D.tmp
2009-08-13 09:55 . 2009-08-13 09:55 0 ----a-w- C:\LOG38.tmp
2009-08-13 09:00 . 2009-08-13 09:00 0 ----a-w- C:\LOG32.tmp
2009-08-13 07:36 . 2009-08-13 07:36 0 ----a-w- C:\LOG2F.tmp
2009-08-13 06:55 . 2009-08-13 06:55 0 ----a-w- C:\LOG2E.tmp
2008-10-25 12:32 . 2007-05-27 17:27 56 --sh--r- c:\windows\system32\4595FEC21B.sys
.

------- Sigcheck -------

[7] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[7] 2008-04-23 . 4D612FF5D3B7EEF200595AE6F95D5E68 . 3593728 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
[7] 2008-03-01 . AB2C88167D78D71D93558ACECB24CC7A . 3591680 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-12-07 . 976C46ED4A75FC66D9C596778898CE1E . 3593216 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 8AB7ECF59D6EBBE986277B65ED4A40A1 . 3590656 . . [7.00.6000.16587] . . c:\windows\ie7updates\KB944533-IE7\mshtml.dll
[7] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll
[7] 2007-07-18 . 7CE243CFD47AD0DC431586CB8C542A11 . 3584000 . . [7.00.6000.20641] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 1D4E3B86C601A2497C99790CC4D7DF26 . 3584000 . . [7.00.6000.20591] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\mshtml.dll
[7] 2007-03-07 . 190E1AE9B973049B12A67BAD478C770C . 3581952 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\mshtml.dll
[7] 2007-03-07 . DA297A862E5F093A07D37C05F608C686 . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\system32\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2006-10-23 . 5FC7DE1195C8E9B5360FD65DBE95E5B0 . 3055104 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB925454$\mshtml.dll
[-] 2006-09-14 . BE45460D1453B7342E01EAE79BFBC681 . 3054592 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454_0$\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-05-19 . 284CE76B71DD5260B42A3CCF0135AF67 . 3052544 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-03-23 . DEAA438EA31095E14A196FF647E38D13 . 3053568 . . [6.00.2900.2873] . . c:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[7] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB912812$\mshtml.dll

[7] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 . 41546B396A526918DA7995A02EA04E51 . 827392 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-03-01 . AD21461AEF8244EDEC2EF18E55E1DCF3 . 826368 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\wininet.dll
[7] 2008-03-01 . 6316C2F0C61271C8ABDFF7429174879E . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-12-07 . B5B411BB229AE6EAD7652A32ED47BFB9 . 825344 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 . 30C1E0F34AD2972C72A01DB5C74AB065 . 824832 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\wininet.dll
[7] 2007-10-10 . 0E5D918F87EFA7D2424D66B499C7EB04 . 825344 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-08-20 . 357D54BF94FE9D6D8505A96B5C2A3BCA . 825344 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-06-27 . D6ED5E042C5207553E7F5E842918137F . 824320 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[7] 2007-04-25 . 431DEFBB4A3D7B0DC062C1B064623A2F . 823808 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[7] 2007-03-07 . 5B35DAE6E4886F64D1DA58C4E3E01EB9 . 822784 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\wininet.dll
[7] 2007-03-07 . B8F4DB39CA7353752F245379D285C80E . 823296 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\system32\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\system32\dllcache\wininet.dll
[-] 2006-10-23 . 6B2735ADFF5A5D3B9130CA4A794722F0 . 658944 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-09-14 . 621AF3F6174A3F60677F5230E28BCC07 . 658944 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454_0$\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-06-23 . 2B4DB890936430C71419037039502752 . 658944 . . [6.00.2900.2937] . . c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-05-10 . D94CFFDB53E7AC867438E2DFD50E7CBC . 663552 . . [6.00.2900.2904] . . c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-05-10 . 38AB7A56F566D9AAAD31812494944824 . 658432 . . [6.00.2900.2904] . . c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-03-04 . C0845ECBF4F9164E618EE381B79C9032 . 663552 . . [6.00.2900.2861] . . c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-03-04 . 1C0979C7A489BEE573CD0BF4AD94BB06 . 658432 . . [6.00.2900.2861] . . c:\windows\$NtUninstallKB916281$\wininet.dll
[7] 2004-08-04 . C0823FC5469663BA63E7DB88F9919D70 . 656384 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB912812$\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="d:\program files\Microsoft Activesync\wcescomm.exe" [2006-06-20 1207080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2006-12-18 25365032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe" [2004-03-17 57393]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-07 4136960]
"IndexSearch"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe" [2004-03-17 40960]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Audio Filter.lnk - c:\program files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2006-3-9 2707456]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2006-5-26 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=SSMSFltr.dll
"mixer1"=SSMSFltr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"d:\program files\Microsoft Activesync\rapimgr.exe"= d:\program files\Microsoft Activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft Activesync\wcescomm.exe"= d:\program files\Microsoft Activesync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft Activesync\WCESMgr.exe"= d:\program files\Microsoft Activesync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP
"4672:UDP"= 4672:UDP:Emule UDP
"19176:TCP"= 19176:TCP:Azureus Incoming
"19176:UDP"= 19176:UDP:Azureus UDP
"49152:UDP"= 49152:UDP:Azureus UDP
"49152:TCP"= 49152:TCP:Azureus TCP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [8/24/2004 2:26 PM 14336]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [2/24/2009 9:45 AM 31744]
S3 pnicml;pnicml;\??\c:\docume~1\user\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\user\LOCALS~1\Temp\pnicml.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezDRMClientSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f38a7189-5f99-11dc-b391-00112f8d7c91}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 16:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.club-vaio.sony-europe.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\bltee0ai.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.ie
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-11-05 13:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'lsass.exe'(444)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\SSMSFltr.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-05 13:27
ComboFix-quarantined-files.txt 2009-11-05 13:27
ComboFix2.txt 2009-11-05 13:15

Pre-Run: 14,557,483,008 bytes free
Post-Run: 14,538,063,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E290E977F37C5D9A1AC543C8817CD2BB
DamianIreland is offline  
Old 11-06-2009, 09:18 PM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi Damian,

I really need to see that first run. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

A report should pop open for you. Please post the contents in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-07-2009, 05:08 AM   #11
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Hi again Reid,

Thanks so much for all of this once again. It's amazing. So, I had copied the first run results onto my usb stick in case you asked for it, so I can send it from home. So please find it below.

Best regards,
Damian


ComboFix 09-10-26.06 - user 05/11/2009 13:12.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.185 [GMT 0:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-12 14:27 . 2006-10-26 18:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-12 14:22 . 2009-10-12 14:23 -------- d-----w- c:\windows\SHELLNEW
2009-10-12 12:59 . 2009-10-12 12:59 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Microsoft Help
2009-10-12 12:58 . 2009-10-14 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 13:12 . 2006-05-26 16:19 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-10-26 08:02 . 2006-04-02 11:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-10-22 13:17 . 2007-07-22 00:30 -------- d-----w- c:\program files\Opera Software
2009-10-22 08:34 . 2007-05-18 14:30 -------- d-----w- c:\program files\Dl_cats
2009-10-15 15:58 . 2008-01-08 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 15:53 . 2008-01-08 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 10:50 . 2006-03-09 10:46 71376 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 10:49 . 2004-08-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-10-12 14:51 . 2004-08-24 22:01 -------- d-----w- c:\program files\Sony
2009-10-12 14:51 . 2004-08-24 22:15 -------- d-----w- c:\program files\Google
2009-10-12 14:50 . 2006-03-09 10:59 -------- d-----w- c:\program files\MoodLogic
2009-10-12 14:50 . 2006-05-31 18:15 -------- d-----w- c:\program files\Disney Interactive
2009-10-12 14:49 . 2006-07-21 18:37 -------- d-----w- c:\program files\THQ
2009-10-12 14:49 . 2004-08-24 21:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 14:48 . 2006-03-09 10:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 14:46 . 2007-05-18 14:26 -------- d-----w- c:\program files\Corel
2009-10-12 14:26 . 2006-03-09 11:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 14:24 . 2007-07-22 23:46 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 14:18 . 2006-05-26 16:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-08 11:50 . 2007-05-27 17:27 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-13 13:10 . 2009-08-13 13:10 0 ----a-w- C:\LOG4D.tmp
2009-08-13 09:55 . 2009-08-13 09:55 0 ----a-w- C:\LOG38.tmp
2009-08-13 09:00 . 2009-08-13 09:00 0 ----a-w- C:\LOG32.tmp
2009-08-13 07:36 . 2009-08-13 07:36 0 ----a-w- C:\LOG2F.tmp
2009-08-13 06:55 . 2009-08-13 06:55 0 ----a-w- C:\LOG2E.tmp
2008-10-25 12:32 . 2007-05-27 17:27 56 --sh--r- c:\windows\system32\4595FEC21B.sys
.

------- Sigcheck -------

[7] 2008-08-26 . 25CC085720EE3617FD1F8AB9E2F7CAB2 . 3594752 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll
[7] 2008-04-23 . 4D612FF5D3B7EEF200595AE6F95D5E68 . 3593728 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[7] 2008-04-14 . A706E122B398FE1AB85CB9B75D044223 . 3066880 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\mshtml.dll
[7] 2008-03-01 . AB2C88167D78D71D93558ACECB24CC7A . 3591680 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[7] 2008-03-01 . 4EE273E2B09317C1217EF0DB91F93534 . 3593216 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
[7] 2007-12-07 . 976C46ED4A75FC66D9C596778898CE1E . 3593216 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 54D8B404F17AA74C666F7F3AEF2AE459 . 3593216 . . [7.00.6000.20710] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
[7] 2007-10-30 . 8AB7ECF59D6EBBE986277B65ED4A40A1 . 3590656 . . [7.00.6000.16587] . . c:\windows\ie7updates\KB944533-IE7\mshtml.dll
[7] 2007-08-20 . AA8A4BD78D24FCDB96DDAEE3756AA372 . 3592192 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\mshtml.dll
[7] 2007-07-18 . 7CE243CFD47AD0DC431586CB8C542A11 . 3584000 . . [7.00.6000.20641] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\mshtml.dll
[7] 2007-05-08 . 1D4E3B86C601A2497C99790CC4D7DF26 . 3584000 . . [7.00.6000.20591] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\mshtml.dll
[7] 2007-03-07 . 190E1AE9B973049B12A67BAD478C770C . 3581952 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\mshtml.dll
[7] 2007-03-07 . DA297A862E5F093A07D37C05F608C686 . 3582976 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\system32\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\system32\dllcache\mshtml.dll
[-] 2006-10-23 . 5FC7DE1195C8E9B5360FD65DBE95E5B0 . 3055104 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB925454$\mshtml.dll
[-] 2006-09-14 . BE45460D1453B7342E01EAE79BFBC681 . 3054592 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454_0$\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-07-28 . C7074DA3D8F8C0F6C03874BA0B05069C . 3054080 . . [6.00.2900.2963] . . c:\windows\$NtUninstallKB922760$\mshtml.dll
[-] 2006-05-19 . 284CE76B71DD5260B42A3CCF0135AF67 . 3052544 . . [6.00.2900.2912] . . c:\windows\$NtUninstallKB918899$\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-03-23 . DEAA438EA31095E14A196FF647E38D13 . 3053568 . . [6.00.2900.2873] . . c:\windows\$NtUninstallKB916281$\mshtml.dll
[-] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[7] 2004-08-04 . 376E0843B2356CA91CEC8D9837A56FF7 . 3003392 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB912812$\mshtml.dll

[7] 2008-08-26 . 77C192FE56A70D7FA0247BA0A6201C32 . 827904 . . [7.00.6000.20900] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-04-23 . 41546B396A526918DA7995A02EA04E51 . 827392 . . [7.00.6000.20815] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-04-14 . 7A4F775ABB2F1C97DEF3E73AFA2FAEDD . 666112 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-03-01 . AD21461AEF8244EDEC2EF18E55E1DCF3 . 826368 . . [7.00.6000.16640] . . c:\windows\ie7updates\KB950759-IE7\wininet.dll
[7] 2008-03-01 . 6316C2F0C61271C8ABDFF7429174879E . 827392 . . [7.00.6000.20772] . . c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[7] 2007-12-07 . B5B411BB229AE6EAD7652A32ED47BFB9 . 825344 . . [7.00.6000.20733] . . c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[7] 2007-10-10 . 30C1E0F34AD2972C72A01DB5C74AB065 . 824832 . . [7.00.6000.16574] . . c:\windows\ie7updates\KB944533-IE7\wininet.dll
[7] 2007-10-10 . 0E5D918F87EFA7D2424D66B499C7EB04 . 825344 . . [7.00.6000.20696] . . c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[7] 2007-08-20 . 357D54BF94FE9D6D8505A96B5C2A3BCA . 825344 . . [7.00.6000.20661] . . c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
[7] 2007-06-27 . D6ED5E042C5207553E7F5E842918137F . 824320 . . [7.00.6000.20627] . . c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
[7] 2007-04-25 . 431DEFBB4A3D7B0DC062C1B064623A2F . 823808 . . [7.00.6000.20583] . . c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
[7] 2007-03-07 . 5B35DAE6E4886F64D1DA58C4E3E01EB9 . 822784 . . [7.00.6000.16441] . . c:\windows\ie7updates\KB933566-IE7\wininet.dll
[7] 2007-03-07 . B8F4DB39CA7353752F245379D285C80E . 823296 . . [7.00.6000.20544] . . c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\system32\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\system32\dllcache\wininet.dll
[-] 2006-10-23 . 6B2735ADFF5A5D3B9130CA4A794722F0 . 658944 . . [6.00.2900.3020] . . c:\windows\$NtUninstallKB925454$\wininet.dll
[-] 2006-09-14 . 621AF3F6174A3F60677F5230E28BCC07 . 658944 . . [6.00.2900.2995] . . c:\windows\$NtUninstallKB925454_0$\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-06-23 . 2B4DB890936430C71419037039502752 . 658944 . . [6.00.2900.2937] . . c:\windows\$NtUninstallKB922760$\wininet.dll
[-] 2006-05-10 . D94CFFDB53E7AC867438E2DFD50E7CBC . 663552 . . [6.00.2900.2904] . . c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-05-10 . 38AB7A56F566D9AAAD31812494944824 . 658432 . . [6.00.2900.2904] . . c:\windows\$NtUninstallKB918899$\wininet.dll
[-] 2006-03-04 . C0845ECBF4F9164E618EE381B79C9032 . 663552 . . [6.00.2900.2861] . . c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2006-03-04 . 1C0979C7A489BEE573CD0BF4AD94BB06 . 658432 . . [6.00.2900.2861] . . c:\windows\$NtUninstallKB916281$\wininet.dll
[7] 2004-08-04 . C0823FC5469663BA63E7DB88F9919D70 . 656384 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB912812$\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="d:\program files\Microsoft Activesync\wcescomm.exe" [2006-06-20 1207080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2006-12-18 25365032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe" [2004-03-17 57393]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-07 4136960]
"IndexSearch"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe" [2004-03-17 40960]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Audio Filter.lnk - c:\program files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2006-3-9 2707456]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2006-5-26 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=SSMSFltr.dll
"mixer1"=SSMSFltr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"d:\program files\Microsoft Activesync\rapimgr.exe"= d:\program files\Microsoft Activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft Activesync\wcescomm.exe"= d:\program files\Microsoft Activesync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft Activesync\WCESMgr.exe"= d:\program files\Microsoft Activesync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP
"4672:UDP"= 4672:UDP:Emule UDP
"19176:TCP"= 19176:TCP:Azureus Incoming
"19176:UDP"= 19176:UDP:Azureus UDP
"49152:UDP"= 49152:UDP:Azureus UDP
"49152:TCP"= 49152:TCP:Azureus TCP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [8/24/2004 2:26 PM 14336]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [2/24/2009 9:45 AM 31744]
S3 pnicml;pnicml;\??\c:\docume~1\user\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\user\LOCALS~1\Temp\pnicml.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezDRMClientSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f38a7189-5f99-11dc-b391-00112f8d7c91}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 16:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.club-vaio.sony-europe.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\bltee0ai.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.ie
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-11-05 13:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'lsass.exe'(444)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\SSMSFltr.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-05 13:15
ComboFix-quarantined-files.txt 2009-11-05 13:15

Pre-Run: 14,586,015,744 bytes free
Post-Run: 14,555,586,560 bytes free

- - End Of File - - 87158E655E034AA7443CA644739BCEAE
DamianIreland is offline  
Old 11-07-2009, 07:15 AM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome, Damian. :)

Open notepad and copy/paste the text in the code box below into it:

Quote:

FCopy::
c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll | c:\windows\system32\mshtml.dll
c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll | c:\windows\system32\wininet.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the C:\ComboFix.txt

Can you access the internet with IE now?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-12-2009, 07:22 AM   #13
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Hi Reid,

Please find log file below.

On first try without reboot, IE still wasn't working. On reboot a warning box came up:
EXPLORER.EXE UNABLE TO FIND COMPONENT
This application has failed to start because iertutil.dll was not found. Reinstalling the application may fix this problem.

So nothing happening with computer at all.
I haven't restored to a system point yet, I will hopefully await your instructions, but I hope they come quick before my brother-in-law gets back to the office!

Nothing else to report really, I won't go messing about with anything, I'll just wait for advice. Thanks again.

Damian


ComboFix 09-10-26.06 - user 12/11/2009 14:05.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.201 [GMT 0:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt.rtf
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll --> c:\windows\system32\mshtml.dll
c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll --> c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-05 14:34 . 2009-11-05 14:53 8704 ----a-w- c:\windows\VIEWS.DAT
2009-11-05 14:34 . 2009-11-05 14:34 8067 ----a-w- c:\windows\extend.dat
2009-11-05 14:30 . 2009-11-05 14:30 -------- d-----w- c:\windows\forms
2009-11-05 14:30 . 2009-11-05 14:30 -------- d-----w- c:\program files\Windows Messaging
2009-11-05 13:19 . 2009-11-05 13:19 -------- d--h--w- c:\windows\PIF
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 14:01 . 2006-05-26 16:19 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-11-05 14:32 . 2006-03-09 10:46 71768 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 08:02 . 2006-04-02 11:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-10-22 13:17 . 2007-07-22 00:30 -------- d-----w- c:\program files\Opera Software
2009-10-22 08:34 . 2007-05-18 14:30 -------- d-----w- c:\program files\Dl_cats
2009-10-15 15:58 . 2008-01-08 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 15:53 . 2008-01-08 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-14 12:30 . 2009-10-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 10:49 . 2004-08-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-10-12 14:51 . 2004-08-24 22:01 -------- d-----w- c:\program files\Sony
2009-10-12 14:51 . 2004-08-24 22:15 -------- d-----w- c:\program files\Google
2009-10-12 14:50 . 2006-03-09 10:59 -------- d-----w- c:\program files\MoodLogic
2009-10-12 14:50 . 2006-05-31 18:15 -------- d-----w- c:\program files\Disney Interactive
2009-10-12 14:49 . 2006-07-21 18:37 -------- d-----w- c:\program files\THQ
2009-10-12 14:49 . 2004-08-24 21:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 14:48 . 2006-03-09 10:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 14:46 . 2007-05-18 14:26 -------- d-----w- c:\program files\Corel
2009-10-12 14:26 . 2006-03-09 11:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 14:24 . 2007-07-22 23:46 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 14:18 . 2006-05-26 16:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-08 11:50 . 2007-05-27 17:27 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-10-25 12:32 . 2007-05-27 17:27 56 --sh--r- c:\windows\system32\4595FEC21B.sys
.

((((((((((((((((((((((((((((( [email protected]_13.13.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 1997-07-11 00:00 . 1997-07-11 00:00 20080 c:\windows\system32\WINSSPI.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 32256 c:\windows\system32\SELFREG.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 11776 c:\windows\system32\MSOTHUNK.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 37136 c:\windows\system32\MAPISRVR.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 27408 c:\windows\system32\MAPISP32.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 83728 c:\windows\system32\KEYEX32.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 20992 c:\windows\system32\INETAB32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 12288 c:\windows\system32\HLINKPRX.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 92944 c:\windows\system32\GAPI32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 22016 c:\windows\system32\DOCOBJ.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 57344 c:\windows\system32\COMMTB32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 19616 c:\windows\system\VB4EN16.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 27632 c:\windows\system\CTL3DV2.DLL
+ 2009-11-05 14:30 . 2009-11-05 14:56 90168 c:\windows\forms\FRMCACHE.DAT
+ 1997-07-11 00:00 . 1997-07-11 00:00 7904 c:\windows\system32\ML3XEC16.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 6720 c:\windows\system32\CMC.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 7440 c:\windows\system32\APPXEC32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 9136 c:\windows\system\VAEN2.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 423888 c:\windows\system32\OUTLCOMM.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 286480 c:\windows\system32\OLEMSG32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 232928 c:\windows\system32\OLEMSG.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 590608 c:\windows\system32\MSPST32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 545040 c:\windows\system32\MSFS32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 284432 c:\windows\system32\MMFMIG32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 138752 c:\windows\system32\MINET32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 892688 c:\windows\system32\mapi32.dll
+ 1997-07-11 00:00 . 1997-07-11 00:00 518688 c:\windows\system32\MAPI.DLL
+ 2004-08-24 14:32 . 2009-11-05 14:32 277352 c:\windows\system32\FNTCACHE.DAT
+ 1997-07-11 00:00 . 1997-07-11 00:00 401680 c:\windows\system32\ETEXCH32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 585488 c:\windows\system32\EMSUIX32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 128272 c:\windows\system32\EMSUI32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 544528 c:\windows\system32\EMSMDB32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 102160 c:\windows\system32\EMSABP32.DLL
+ 2004-08-24 14:26 . 2008-08-26 09:08 827904 c:\windows\system32\dllcache\wininet.dll
+ 1997-07-11 00:00 . 1997-07-11 00:00 146704 c:\windows\system32\CNFNOT32.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 935632 c:\windows\system\VB40016.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 246720 c:\windows\system\RICHED.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 536048 c:\windows\system\OC25.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 121856 c:\windows\system\MLCTRL.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 1208080 c:\windows\system32\WMSUI32.DLL
+ 2004-08-24 14:26 . 2008-08-26 09:08 3594752 c:\windows\system32\dllcache\mshtml.dll
+ 1997-07-11 00:00 . 1997-07-11 00:00 1255616 c:\windows\system\WMSUI.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="d:\program files\Microsoft Activesync\wcescomm.exe" [2006-06-20 1207080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2006-12-18 25365032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe" [2004-03-17 57393]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-07 4136960]
"IndexSearch"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe" [2004-03-17 40960]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Audio Filter.lnk - c:\program files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2006-3-9 2707456]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2006-5-26 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=SSMSFltr.dll
"mixer1"=SSMSFltr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"d:\program files\Microsoft Activesync\rapimgr.exe"= d:\program files\Microsoft Activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft Activesync\wcescomm.exe"= d:\program files\Microsoft Activesync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft Activesync\WCESMgr.exe"= d:\program files\Microsoft Activesync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP
"4672:UDP"= 4672:UDP:Emule UDP
"19176:TCP"= 19176:TCP:Azureus Incoming
"19176:UDP"= 19176:UDP:Azureus UDP
"49152:UDP"= 49152:UDP:Azureus UDP
"49152:TCP"= 49152:TCP:Azureus TCP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [8/24/2004 2:26 PM 14336]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [2/24/2009 9:45 AM 31744]
S3 pnicml;pnicml;\??\c:\docume~1\user\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\user\LOCALS~1\Temp\pnicml.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezDRMClientSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f38a7189-5f99-11dc-b391-00112f8d7c91}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 16:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.club-vaio.sony-europe.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\bltee0ai.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.ie
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-11-12 14:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'lsass.exe'(440)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\SSMSFltr.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-12 14:08
ComboFix-quarantined-files.txt 2009-11-12 14:08
ComboFix2.txt 2009-11-05 13:27
ComboFix3.txt 2009-11-05 13:15

Pre-Run: 14,476,988,416 bytes free
Post-Run: 14,422,216,704 bytes free

- - End Of File - - 83AC5619F287887E1B26831320B4B838




ComboFix 09-10-26.06 - user 12/11/2009 14:05.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.201 [GMT 0:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt.rtf
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\mshtml.dll --> c:\windows\system32\mshtml.dll
c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll --> c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-05 14:34 . 2009-11-05 14:53 8704 ----a-w- c:\windows\VIEWS.DAT
2009-11-05 14:34 . 2009-11-05 14:34 8067 ----a-w- c:\windows\extend.dat
2009-11-05 14:30 . 2009-11-05 14:30 -------- d-----w- c:\windows\forms
2009-11-05 14:30 . 2009-11-05 14:30 -------- d-----w- c:\program files\Windows Messaging
2009-11-05 13:19 . 2009-11-05 13:19 -------- d--h--w- c:\windows\PIF
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 12:39 . 2009-10-22 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-22 12:39 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 14:01 . 2006-05-26 16:19 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-11-05 14:32 . 2006-03-09 10:46 71768 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 08:02 . 2006-04-02 11:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-10-22 13:17 . 2007-07-22 00:30 -------- d-----w- c:\program files\Opera Software
2009-10-22 08:34 . 2007-05-18 14:30 -------- d-----w- c:\program files\Dl_cats
2009-10-15 15:58 . 2008-01-08 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 15:53 . 2008-01-08 17:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-14 12:30 . 2009-10-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-13 10:49 . 2004-08-24 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-10-12 14:51 . 2004-08-24 22:01 -------- d-----w- c:\program files\Sony
2009-10-12 14:51 . 2004-08-24 22:15 -------- d-----w- c:\program files\Google
2009-10-12 14:50 . 2006-03-09 10:59 -------- d-----w- c:\program files\MoodLogic
2009-10-12 14:50 . 2006-05-31 18:15 -------- d-----w- c:\program files\Disney Interactive
2009-10-12 14:49 . 2006-07-21 18:37 -------- d-----w- c:\program files\THQ
2009-10-12 14:49 . 2004-08-24 21:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 14:48 . 2006-03-09 10:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 14:46 . 2007-05-18 14:26 -------- d-----w- c:\program files\Corel
2009-10-12 14:26 . 2006-03-09 11:05 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 14:24 . 2007-07-22 23:46 -------- d-----w- c:\program files\Microsoft.NET
2009-10-12 14:18 . 2006-05-26 16:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-08 11:50 . 2007-05-27 17:27 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-10-25 12:32 . 2007-05-27 17:27 56 --sh--r- c:\windows\system32\4595FEC21B.sys
.

((((((((((((((((((((((((((((( [email protected]_13.13.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 1997-07-11 00:00 . 1997-07-11 00:00 20080 c:\windows\system32\WINSSPI.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 32256 c:\windows\system32\SELFREG.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 11776 c:\windows\system32\MSOTHUNK.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 37136 c:\windows\system32\MAPISRVR.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 27408 c:\windows\system32\MAPISP32.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 83728 c:\windows\system32\KEYEX32.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 20992 c:\windows\system32\INETAB32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 12288 c:\windows\system32\HLINKPRX.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 92944 c:\windows\system32\GAPI32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 22016 c:\windows\system32\DOCOBJ.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 57344 c:\windows\system32\COMMTB32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 19616 c:\windows\system\VB4EN16.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 27632 c:\windows\system\CTL3DV2.DLL
+ 2009-11-05 14:30 . 2009-11-05 14:56 90168 c:\windows\forms\FRMCACHE.DAT
+ 1997-07-11 00:00 . 1997-07-11 00:00 7904 c:\windows\system32\ML3XEC16.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 6720 c:\windows\system32\CMC.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 7440 c:\windows\system32\APPXEC32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 9136 c:\windows\system\VAEN2.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 423888 c:\windows\system32\OUTLCOMM.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 286480 c:\windows\system32\OLEMSG32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 232928 c:\windows\system32\OLEMSG.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 590608 c:\windows\system32\MSPST32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 545040 c:\windows\system32\MSFS32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 284432 c:\windows\system32\MMFMIG32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 138752 c:\windows\system32\MINET32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 892688 c:\windows\system32\mapi32.dll
+ 1997-07-11 00:00 . 1997-07-11 00:00 518688 c:\windows\system32\MAPI.DLL
+ 2004-08-24 14:32 . 2009-11-05 14:32 277352 c:\windows\system32\FNTCACHE.DAT
+ 1997-07-11 00:00 . 1997-07-11 00:00 401680 c:\windows\system32\ETEXCH32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 585488 c:\windows\system32\EMSUIX32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 128272 c:\windows\system32\EMSUI32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 544528 c:\windows\system32\EMSMDB32.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 102160 c:\windows\system32\EMSABP32.DLL
+ 2004-08-24 14:26 . 2008-08-26 09:08 827904 c:\windows\system32\dllcache\wininet.dll
+ 1997-07-11 00:00 . 1997-07-11 00:00 146704 c:\windows\system32\CNFNOT32.EXE
+ 1997-07-11 00:00 . 1997-07-11 00:00 935632 c:\windows\system\VB40016.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 246720 c:\windows\system\RICHED.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 536048 c:\windows\system\OC25.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 121856 c:\windows\system\MLCTRL.DLL
+ 1997-07-11 00:00 . 1997-07-11 00:00 1208080 c:\windows\system32\WMSUI32.DLL
+ 2004-08-24 14:26 . 2008-08-26 09:08 3594752 c:\windows\system32\dllcache\mshtml.dll
+ 1997-07-11 00:00 . 1997-07-11 00:00 1255616 c:\windows\system\WMSUI.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="d:\program files\Microsoft Activesync\wcescomm.exe" [2006-06-20 1207080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2006-12-18 25365032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe" [2004-03-17 57393]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-07 4136960]
"IndexSearch"="c:\program files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe" [2004-03-17 40960]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-10-16 106496]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-5-26 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-7-30 217195]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Audio Filter.lnk - c:\program files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2006-3-9 2707456]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2006-5-26 253952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=SSMSFltr.dll
"mixer1"=SSMSFltr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"d:\program files\Microsoft Activesync\rapimgr.exe"= d:\program files\Microsoft Activesync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"d:\program files\Microsoft Activesync\wcescomm.exe"= d:\program files\Microsoft Activesync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"d:\program files\Microsoft Activesync\WCESMgr.exe"= d:\program files\Microsoft Activesync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:Emule TCP
"4672:UDP"= 4672:UDP:Emule UDP
"19176:TCP"= 19176:TCP:Azureus Incoming
"19176:UDP"= 19176:UDP:Azureus UDP
"49152:UDP"= 49152:UDP:Azureus UDP
"49152:TCP"= 49152:TCP:Azureus TCP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ezDRMClientSvc;DRM Service;c:\windows\system32\svchost.exe -k netsvcs [8/24/2004 2:26 PM 14336]
S3 ICDSX;Sony IC Recorder (SX);c:\windows\system32\drivers\IcdSX.sys [2/24/2009 9:45 AM 31744]
S3 pnicml;pnicml;\??\c:\docume~1\user\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\user\LOCALS~1\Temp\pnicml.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezDRMClientSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f38a7189-5f99-11dc-b391-00112f8d7c91}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-20 16:28]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.club-vaio.sony-europe.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\bltee0ai.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.ie
FF - component: d:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2009-11-12 14:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(384)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'lsass.exe'(440)
c:\windows\system32\SSMSFltr.dll

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\SSMSFltr.dll
c:\windows\system32\SSSensor.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-12 14:08
ComboFix-quarantined-files.txt 2009-11-12 14:08
ComboFix2.txt 2009-11-05 13:27
ComboFix3.txt 2009-11-05 13:15

Pre-Run: 14,476,988,416 bytes free
Post-Run: 14,422,216,704 bytes free

- - End Of File - - 83AC5619F287887E1B26831320B4B838
DamianIreland is offline  
Old 11-12-2009, 08:43 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



What did you do prior to carrying out the instructions for running ComboFix? Did you install something new? Run another onboard tool of some sort?

Here's a thought - uninstall Sygate, reboot. Do your browsers connect now?

You also need to update your copy of ComboFix. Delete your existing ComboFix.exe and download a fresh copy from here. Double click to run the tool. Post the contents of the C:\ComboFix.txt when through.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-13-2009, 04:49 AM   #15
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Quote:
Originally Posted by Ried View Post
What did you do prior to carrying out the instructions for running ComboFix? Did you install something new? Run another onboard tool of some sort?
Hi Reid,

No nothing. I wouldn't dream of doing such a thing! You're my tech guru now, I only do as you say, nothing more nothing less.

Thing is, computers unusable now as explorer won't load, not internet explorer, windows explorer. Perhpas I wasn't clear. So I can only run cmd line commands (if that's the correct terminology).


Quote:
Originally Posted by Ried View Post
Here's a thought - uninstall Sygate, reboot. Do your browsers connect now?

You also need to update your copy of ComboFix. Delete your existing ComboFix.exe and download a fresh copy from here. Double click to run the tool. Post the contents of the C:\ComboFix.txt when through.
I'll do all that as soon as I work out how to get the computer running again. I presume that I would start the recovery software we installed and do something there? Please advise! I now have a slightly disgruntled brother-in-law (that's him!) ;)

Looking forward to your reply!
Damian
DamianIreland is offline  
Old 11-13-2009, 07:22 AM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



That particular error message accompanies a 'bad' IE update. Regardless, open Task Manager>File>New Task (Run...). Using the Browse button, navigate to C:\Windows\ERDNT\subs\erdnt.exe.

Double click to bring it into the Run box and click OK. Follow the prompts. Let me know if that fixed it.

Do you have the Windows Install disc for this computer?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-13-2009, 07:42 AM   #17
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Hi Reid,
Yes, I looked about and saw that that error seems to accompany IE7 installs and the like. My brother-in-law (let's just call him David form hereon in), is trying that out as we speak. In the meantime - no, the computer came pre-installed with windows.

I haven't been in but David says the C:/windows/erdnt/ folder only has cache and HIVBACKUP folder, erdnt.exe was in the HIVbackup folder, and we did that and restored the registry following the prompts.

Same thing happened. No change.

Now that I think long and hard about it. I did do one install. I hope it didn't cause this problem.

I'm trying to remember exactly when I did it, but am pretty sure it wasn't before the last Combofix. Possibly before the first one... I tried to install a version (original) of a stand-alone outlook 97, at David's request, I add, defensively. It of course didn't work and I uninstalled it.

Now I feel like a total idiot, if that has had knock-on effects. I'm truly sorry. I think I did it immediately after installing the recovery console. Def not just before running the latest script for combofix.

Tell me if I'm in trouble.

Regards,
Damian
DamianIreland is offline  
Old 11-13-2009, 08:05 AM   #18
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You have quite a few Windows files that have been failing signature verification, so yes--I believe that has something to do with the problems on this machine.

Since you do not have an install disc, my recommendation is to download Windows XP Home Edition SP3 again. Save it to usb stick.

Uninstall SP3 via the Add or Remove programs panel (you'll find it listed clearly as Windows XP Service Pack 3), then reinstall SP3.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-13-2009, 08:13 AM   #19
Guest
 
Join Date: Oct 2009
Posts: 17
OS:



Hi Reid,

I'm a little confused. The problems were there before I installed and uninstalled the last version of outlook. I now realise what an idiot thing that was to do now... in a way. Then another part of me wonders why it would mess with the rest of the computer, or internet access, but I suppose that's the way windows in built.

Talk about making a bad situation worse.

How will I access the add remove programs without explorer, or can that be done via the ctl-alt-delete panel?

If ever you need music theory lessons, give me a call, or I could play bass down the phone to you. ;)

Regards,
Damian
DamianIreland is offline  
Old 11-13-2009, 08:24 AM   #20
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



I'm sorry, Damian I forgot about that.

Yes, you can uninstall SP3 via Task Manager. Browse to C:\$ntservicepackuninstall$\spuninst\spuninst.exe
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:11 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts