Tech Support banner

Status
Not open for further replies.
1 - 20 of 25 Posts

·
Registered
Joined
·
59 Posts
Discussion Starter #1 (Edited)
Hello Chemist and valued TSF magicians:

I apologize for the time between replies.
Per your instruction I am including the ComboFix log and a link to the original post for this machine. Steps in your instruction have been performed as described. Already I see improvement in the systems operation.
Thank you for your expert assitance. :wave:
Aw

http://www.techsupportforum.com/f284/robbers-and-theives-491445.html


ComboFix 10-06-30.03 - Mx 07/01/2010 10:44:44.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.653 [GMT -7:00]
Running from: c:\documents and settings\Mx\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Mozilla Firefox\components\npclntax.xpt
c:\program files\Search Guard Plus
c:\program files\Search Guard Plus\fbsProtection.xml
c:\program files\Search Guard Plus\fbsSearchProvider.xml
c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe
c:\program files\Search Guard Plus\SearchGuardPlus.exe
c:\program files\Search Guard Plus\SearchGuardPlus.ico
c:\program files\Search Guard Plus\uninstalSGP.exe
c:\program files\Search Guard PlusU
c:\program files\Search Guard PlusU\SGPU.ico
c:\program files\Search Guard PlusU\sgpUpdater.exe
c:\program files\Search Guard PlusU\sgpUpdater.xml
c:\program files\Search Guard PlusU\sgpUpdaters.exe
c:\program files\Search Guard PlusU\uninstalSGPU.exe
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\xef.txt

Infected copy of c:\windows\system32\DRIVERS\compbatt.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-07-01 17:34 . 2010-07-01 17:34 -------- d-----w- c:\documents and settings\Mx\Local Settings\Application Data\ESET
2010-06-24 01:03 . 2010-06-24 01:04 -------- d-----w- C:\downloads
2010-06-19 03:49 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\Mx\Application Data\Uniblue
2010-06-13 20:32 . 2010-06-13 20:32 -------- d-----w- c:\documents and settings\Serena\GameHouse
2010-06-01 21:44 . 2010-06-01 21:44 46080 ----a-w- c:\windows\system32\jbwonjm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 03:47 . 2010-06-19 03:47 503808 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\msvcp71.dll
2010-06-19 03:47 . 2010-06-19 03:47 499712 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\jmc.dll
2010-06-19 03:47 . 2010-06-19 03:47 348160 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\msvcr71.dll
2010-06-18 06:48 . 2007-03-15 07:27 -------- d-----w- c:\program files\Yahoo! Games
2010-06-15 22:18 . 2007-04-08 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-15 00:23 . 2010-06-15 22:18 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\yupdater.exe
2010-06-14 07:33 . 2008-01-12 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-06-14 06:41 . 2008-11-23 20:10 -------- d-----w- c:\program files\RealArcade
2010-06-13 18:58 . 2008-01-15 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-06-01 17:04 . 2006-12-09 18:51 -------- d-----w- c:\program files\Google
2010-03-17 06:41 . 2007-03-11 04:12 104 --sh--r- c:\windows\system32\CBCCB78211.sys
2010-03-17 06:41 . 2007-03-11 04:12 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RegistryBooster"="c:\utility\RegistryBooster\launcher.exe" [2010-05-26 46456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 106496]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"WinPatrol"="c:\utility\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/27/2009 6:49 AM 78104]
S3 dialmgr;dialmgr;\??\c:\windows\system32\dialmgr.sys --> c:\windows\system32\dialmgr.sys [?]
S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 10:04 AM 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31D9B4A9-6FCC-4698-A092-C4C28D017B36}]
2010-06-01 21:44 46080 ----a-w- c:\windows\system32\jbwonjm.dll
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-01 c:\windows\Tasks\User_Feed_Synchronization-{3580EDF3-FD1E-45C9-B565-B3A022E11F70}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=41&sid=v300
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{BB4BB6B0-B32A-407C-B97F-4796536F30BB} - (no file)
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-OE_OEM - c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
HKLM-Run-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 10:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\utility\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\utility\RegistryBooster\registrybooster.exe
.
**************************************************************************
.
Completion time: 2010-07-01 11:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-01 18:05
ComboFix2.txt 2009-05-18 22:41

Pre-Run: 75,178,356,736 bytes free
Post-Run: 75,743,023,104 bytes free

- - End Of File - - 5B4402B83DC4B31338844283D76A9D1C
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi Ancient Wisdom. Let's see if we can finish this up in short order. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------


  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the codebox below into it:


    Code:
    http://www.techsupportforum.com/f100/robbers-and-theives-2-a-494332.html#post2786667
    
    Driver::
    dialmgr
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{31D9B4A9-6FCC-4698-A092-C4C28D017B36}]
    Collect::
    c:\windows\system32\jbwonjm.dll
    c:\windows\system32\dialmgr.sys
    c:\windows\system32\thqvmk


    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
 

·
Registered
Joined
·
59 Posts
Discussion Starter #3
CF Script log attached

Thank you Teton, :wink:
The script ran successfullly and this is the log file
Aw


ComboFix 10-06-30.03 - Mx 07/03/2010 16:08:00.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.578 [GMT -7:00]
Running from: c:\documents and settings\Mx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mx\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

file zipped: c:\windows\system32\jbwonjm.dll
file zipped: c:\windows\system32\thqvmk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jbwonjm.dll
c:\windows\system32\thqvmk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DIALMGR
-------\Service_dialmgr


((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-01 23:44 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-01 17:34 . 2010-07-01 17:34 -------- d-----w- c:\documents and settings\Mx\Local Settings\Application Data\ESET
2010-06-24 01:03 . 2010-06-24 01:04 -------- d-----w- C:\downloads
2010-06-19 03:49 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\Mx\Application Data\Uniblue
2010-06-13 20:32 . 2010-06-13 20:32 -------- d-----w- c:\documents and settings\Serena\GameHouse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 05:33 . 2010-07-03 05:33 27630760 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
2010-06-19 03:47 . 2010-06-19 03:47 503808 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\msvcp71.dll
2010-06-19 03:47 . 2010-06-19 03:47 499712 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\jmc.dll
2010-06-19 03:47 . 2010-06-19 03:47 348160 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\msvcr71.dll
2010-06-18 06:48 . 2007-03-15 07:27 -------- d-----w- c:\program files\Yahoo! Games
2010-06-15 22:18 . 2007-04-08 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-15 00:23 . 2010-06-15 22:18 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\yupdater.exe
2010-06-14 07:33 . 2008-01-12 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-06-14 06:41 . 2008-11-23 20:10 -------- d-----w- c:\program files\RealArcade
2010-06-13 18:58 . 2008-01-15 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-06-01 17:04 . 2006-12-09 18:51 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-17 06:41 . 2007-03-11 04:12 104 --sh--r- c:\windows\system32\CBCCB78211.sys
2010-03-17 06:41 . 2007-03-11 04:12 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 106496]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"WinPatrol"="c:\utility\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/27/2009 6:49 AM 78104]
S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 10:04 AM 136176]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-03 c:\windows\Tasks\User_Feed_Synchronization-{3580EDF3-FD1E-45C9-B565-B3A022E11F70}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=41&sid=v300
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-03 16:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1304)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(116)
c:\windows\system32\WININET.dll
c:\utility\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-03 16:29:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-03 23:29
ComboFix2.txt 2010-07-01 18:05
ComboFix3.txt 2009-05-18 22:41

Pre-Run: 74,785,501,184 bytes free
Post-Run: 74,863,050,752 bytes free

- - End Of File - - 64AA3B40F160BE30BDF6C3FB387A52CA
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi Ancient Wisdom.

I don't see that a file was uploaded by ComboFix.

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

Please do not attach logs unless requested. They are easier to review when posted.

Thanks.
 

·
Registered
Joined
·
59 Posts
Discussion Starter #5
quarantine

Hello Teton,

The upload you requested did not automatically follow the script scan as instructed. :rolleyes:

Here is the log file content you requested....

Aw

~~~~~~~

2010-07-03 23:14:59 . 2010-07-03 23:14:59 2,534 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_dialmgr.reg.dat
2010-07-03 23:14:59 . 2010-07-03 23:14:59 1,208 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_DIALMGR.reg.dat
2010-07-03 23:07:57 . 2010-07-03 23:07:58 47,228 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-07-03_16.07.54.zip
2010-07-01 18:05:01 . 2010-07-01 18:05:01 188 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Google Desktop Search.reg.dat
2010-07-01 18:04:59 . 2010-07-01 18:04:59 173 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-OE_OEM.reg.dat
2010-07-01 18:04:59 . 2010-07-01 18:04:59 142 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ModemOnHold.reg.dat
2010-07-01 18:04:58 . 2010-07-01 18:04:58 157 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{BB4BB6B0-B32A-407C-B97F-4796536F30BB}.reg.dat
2010-07-01 17:52:58 . 2010-07-01 17:52:58 3,886 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_6to4.reg.dat
2010-07-01 17:52:58 . 2010-07-01 17:52:58 774 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_6TO4.reg.dat
2010-07-01 17:52:34 . 2010-07-03 23:14:37 8,629 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-07-01 17:25:29 . 2010-07-03 23:05:39 204 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-06-01 21:46:19 . 2010-06-01 21:46:19 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\fsc.txt.vir
2010-06-01 21:46:19 . 2010-06-01 21:46:19 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\xef.txt.vir
2010-06-01 21:46:19 . 2010-06-01 21:46:19 1 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\ide.txt.vir
2010-06-01 21:44:53 . 2010-06-01 21:44:53 7,106 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\thqvmk.vir
2010-06-01 21:44:52 . 2010-06-01 21:44:52 46,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jbwonjm.dll.vir
2010-06-01 21:44:52 . 2010-06-01 21:44:52 64,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\klgd.bmp.vir
2009-05-22 18:05:47 . 2009-05-07 17:02:00 1,150 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard PlusU\SGPU.ico.vir
2009-05-22 18:05:47 . 2009-05-08 22:05:56 3,710 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard PlusU\sgpUpdater.xml.vir
2009-05-22 18:05:47 . 2009-05-08 17:22:40 68,480 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard PlusU\uninstalSGPU.exe.vir
2009-05-22 18:05:47 . 2009-05-15 16:57:18 67,456 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard PlusU\sgpUpdaters.exe.vir
2009-05-22 18:05:47 . 2009-05-22 18:05:44 444 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard Plus\fbsSearchProvider.xml.vir
2009-05-22 18:05:47 . 2009-05-08 23:46:08 307,584 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard PlusU\sgpUpdater.exe.vir
2009-05-22 18:05:47 . 2009-05-15 16:56:32 54,144 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard Plus\FbsSearchProviderIE8.exe.vir
2009-05-22 18:05:47 . 2009-04-27 23:25:00 1,150 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard Plus\SearchGuardPlus.ico.vir
2009-05-22 18:05:47 . 2009-05-08 01:51:56 74,624 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard Plus\uninstalSGP.exe.vir
2009-05-22 18:05:47 . 2009-03-24 10:52:44 3,960 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard Plus\fbsProtection.xml.vir
2009-05-22 18:05:47 . 2009-05-04 23:08:28 194,432 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Guard Plus\SearchGuardPlus.exe.vir
2009-05-22 18:05:44 . 2009-05-21 00:15:46 130,560 ----a-w- C:\Qoobox\Quarantine\C\Program Files\SGPSA\BHO.dll.vir
2009-05-21 18:05:22 . 2009-05-21 18:05:22 2,059 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\tbs_include_script_012817.js.vir
2009-05-21 18:04:44 . 2009-05-21 18:04:44 69 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\version.txt.vir
2009-05-21 00:15:46 . 2009-05-21 00:15:46 130,560 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\BHO.dll.vir
2009-05-15 18:14:02 . 2009-05-15 18:14:02 92,032 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\uninstall.exe.vir
2009-05-15 16:57:18 . 2009-05-15 16:57:18 67,456 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\SGPUpdaterS.exe.vir
2009-05-15 16:56:32 . 2009-05-15 16:56:32 54,144 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\FbsSearchProviderIE8.exe.vir
2009-05-08 23:46:08 . 2009-05-08 23:46:08 307,584 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\sgpUpdater.exe.vir
2009-05-08 22:05:56 . 2009-05-08 22:05:56 3,710 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\sgpUpdater.xml.vir
2009-05-08 17:22:40 . 2009-05-08 17:22:40 68,480 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\uninstalSGPU.exe.vir
2009-05-08 01:51:56 . 2009-05-08 01:51:56 74,624 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\uninstalSGP.exe.vir
2009-05-07 17:02:00 . 2009-05-07 17:02:00 1,150 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\SGPU.ico.vir
2009-05-05 18:46:04 . 2009-05-05 18:46:04 364,928 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\tbhelper.dll.vir
2009-05-05 18:44:42 . 2009-05-05 18:44:42 2,442,112 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\FBStoolbar.dll.vir
2009-05-05 18:43:34 . 2009-05-05 18:43:34 108,416 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\FBSPlugin.dll.vir
2009-05-04 23:08:28 . 2009-05-04 23:08:28 194,432 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\SearchGuardPlus.exe.vir
2009-05-01 22:17:28 . 2009-05-22 18:05:40 15,784 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\basis.xml.vir
2009-05-01 18:41:00 . 2009-05-01 18:41:00 4,844 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\search.bmp.vir
2009-05-01 18:39:00 . 2009-05-01 18:39:00 151,830 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\icons.bmp.vir
2009-05-01 09:58:54 . 2009-05-01 09:58:54 130 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\1.bat.vir
2009-05-01 01:50:17 . 2009-05-01 01:50:17 664 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Common Files\Uninstall\PAV\Uninstall.lnk.vir
2009-04-27 23:25:00 . 2009-04-27 23:25:00 1,150 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\SearchGuardPlus.ico.vir
2009-04-16 21:47:56 . 2009-05-22 18:05:44 444 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\FbsSearchProvider.xml.vir
2009-03-24 10:52:44 . 2009-03-24 10:52:44 3,960 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\fbsProtection.xml.vir
2009-01-16 18:48:00 . 2009-01-16 18:48:00 2,465 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\tbs_include_script_005064.js.vir
2009-01-06 07:48:38 . 2009-01-06 07:48:38 2,036 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\MTWBtoolbar.html.vir
2008-12-18 19:27:24 . 2008-12-18 19:27:24 3 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\affid.dat.vir
2008-12-03 20:03:44 . 2008-12-03 20:03:44 9,088 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\ClearRecycleBin.exe.vir
2008-11-10 20:44:06 . 2008-11-10 20:44:06 62,336 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\update.exe.vir
2008-10-27 18:17:42 . 2008-10-27 18:17:42 79 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\info.txt.vir
2008-10-27 17:42:31 . 2008-09-12 17:26:26 381 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\npclntax.xpt.vir
2008-06-26 03:44:54 . 2008-06-26 03:44:54 0 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\about.html.vir
2008-02-20 20:36:36 . 2008-02-20 20:36:36 304 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\Toolbar Help.htm.vir
2007-09-18 00:00:06 . 2007-09-18 00:00:06 2,029 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\tbs_include_script_003175.js.vir
2006-12-09 18:17:06 . 2008-04-13 18:36:37 10,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir
2006-12-09 18:17:06 . 2010-07-01 17:35:12 10,240 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir_
2004-08-26 19:12:00 . 2004-08-26 19:12:00 126,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir
2004-08-18 22:47:58 . 2004-08-18 22:47:58 241 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.inf.vir
2004-04-21 22:07:36 . 2004-04-21 22:07:36 53 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\local.xml.vir
2004-02-19 10:20:32 . 2004-02-19 10:20:32 519 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Fast Browser Search\IE\error.html.vir
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
  • Please visit this site:


    http://www.bleepingcomputer.com/submit-malware.php?channel=4

  • In the Link to topic where this file was requested: area, copy and paste this


    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/494332-robbers-theives-2-a.html#post2791480

  • Click on the Browse button.
  • In the File Upload window which opens, copy and paste this into the File Name box, then click OK.


    C:\Qoobox\Quarantine\[4]-Submit_2010-07-03_16.07.54.zip

  • Then click Send File.
  • Once it shows:

    Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
  • Close the site and continue with the steps below.
Please download Malwarebytes' Anti-Malware to your desktop.


  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
---------------------------------------------------------------------------------------------
 

·
Registered
Joined
·
59 Posts
Discussion Starter #7
Hello Teton,
Per your request, file submitted to bleeping computer.
log file from MBM below

IE is being redirected so frequentlly it is difficult to use
Thank you for your help
Aw

~~~~~~

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4281

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/5/2010 6:07:56 PM
mbam-log-2010-07-05 (18-07-56).txt

Scan type: Quick scan
Objects scanned: 153985
Time elapsed: 12 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 71
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\seekmo.desktopflash (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmo.desktopflash.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.clientdetector (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.clientdetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.userprofiles (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.userprofiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{00b77587-be1b-4201-b8e9-09fcf50ab771} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{067c6a37-72ea-4437-863a-5be20c246f3c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1230cf51-6bc4-4a23-b3f1-c7cf0afed619} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a2af056-1fe1-47ca-993d-5d09d18e674e} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2b81f920-6660-4f76-93bf-b1c67bf5d1a0} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e623b96-b166-4c70-8169-820761794299} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{34e29700-0d13-46aa-b9a5-ace68e21a091} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3661af2d-c27b-499c-9bcf-66c8502a3806} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3f0915b8-b238-4c2d-ad1e-60db1e14d27a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{49155dae-c471-40fa-98ee-b2b3cad115ce} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d783385-0dda-4188-a529-c97dc3d67cbd} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e8b851b-05b0-4baf-b24d-d0dfe88dded3} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{50c3e2b3-4fd7-4cb9-91f9-641a6e6b3689} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a4737a8-b92a-4e54-970e-c2891d98ce3f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{62b0b239-f9ac-4a5b-bfae-62c7a23f7627} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e10479b-31e8-4a3b-81b1-ddaf39097f19} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{726f0ab9-b842-4ae4-90c7-230e233e6a99} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{99123ac9-7dda-4c82-b252-44c2804bf392} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ace99e77-aa2a-43c2-8c9d-caf2020fdf2b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b247f5bf-bd9d-4ecd-8fc1-365f36a1fda1} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b9cc2b92-5611-453f-8381-8b6f72d9c0b8} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbbfb891-98ae-4678-86f3-bd5a2eed86c9} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bd5258af-20ae-4bd3-b748-b2851aca7335} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c4543e64-1498-410d-8e72-4744eea99ab9} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0fb1610-b25b-49f6-be20-751b2f230e6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ea58c2ea-be26-49dd-9b9a-c8e4e5ca7791} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fca28ac5-c1e1-4d67-a5ae-c44d6c374d9f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{4a40e8fc-c7e4-4f57-9fa4-85dd77402897} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b2e150d-4c8a-40e4-8c36-dd9c02771c67} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{627d894a-8a77-416e-b522-432eaf2c818e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7138f250-5b72-48dd-adfb-9a83b429dd9e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8971cb48-9fca-445a-be77-e8e8a4cc9df7} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b88e4484-3ff6-4ea9-815b-a54fe20d4387} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf1bf02c-5a86-4ecf-adac-472c54c4d21e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d2221ccb-f2bb-4858-aad4-57c754153603} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ea0b6a1a-6a59-4a58-9c41-9966504898a5} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{995e885e-3ff5-4f66-a107-8bfb3a0f8f12} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{fbb40fdf-b715-4342-ab82-244ecc66e979} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{08755390-f46d-4d09-968c-3430166b3189} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0923208c-e259-4ed5-a778-cb607da350ad} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{229d2451-a617-4b30-b5e8-8138694240cb} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c23fa5a4-1fea-419f-8b14-f7465df062bc} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ccc6e232-aa4c-4813-a019-9c14b27776b6} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{54a3f8b7-228e-4ed8-895b-de832b2c3959} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PiratePoppers.1.0.0.24.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{38d97cce-7243-4b6e-b6a8-dd872ad3eb33} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6868afe5-f258-47dc-bc37-0821f96dc1d2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.24.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.24.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\PiratePoppers.1.0.0.24.inf (Trojan.Agent) -> Quarantined and deleted successfully.
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
I don't know why the machine should be having redirects. After the last run of ComboFix, it was looking pretty clean. Has someone been using it willfully and without regard for our efforts in the interim?

I need to see new logs from DDS and gmer.
 

·
Registered
Joined
·
59 Posts
Discussion Starter #9 (Edited)
whats up with that ?

Hello Teton,

[DDS logs follow]

I asked the user if she has been on the machine and she indicated that she was checking email, and doing facebook only. She recognizes that the use of the machine is limited at this point.

I ran gmer again several times. It crashed, went to BSOD, locked up and then ran for over a day and night only to crash when saving the log file. So after 4 attempts and nearly two days of continuous effort, I am writing to give you that update. :4-dontkno

When I say IE is redirecting, it may be otherwise. Eset notifies that someone is attempting an URL and blocks it, often. IE8 often recovers the lost http request and can refresh the screen though the bug is trying to get in the way. Sometimes the round robin battle just ends in a draw . . .

That scenario with IE 'redirects' has been consistent before and during the recent scans. So whatever has been eradicated has yet to hit this guy where he lives.

Thats all I know,
Aw

~~~~~

ATTACH2


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/14/2006 6:02:49 PM
System Uptime: 7/5/2010 7:14:17 PM (0 hours ago)

Motherboard: Dell Inc. | | 0XD720
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | Microprocessor | 980/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 105 GiB total, 69.55 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1390 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&6C79FC5&0&00E0
Manufacturer: Broadcom
Name: Dell Wireless 1390 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&6C79FC5&0&00E0
Service: BCM43XX

==== System Restore Points ===================

RP98: 4/13/2010 5:01:30 PM - Software Distribution Service 3.0
RP99: 4/15/2010 4:29:33 PM - Software Distribution Service 3.0
RP100: 4/16/2010 5:44:56 PM - System Checkpoint
RP101: 5/6/2010 4:10:10 PM - System Checkpoint
RP102: 5/7/2010 7:13:10 PM - System Checkpoint
RP103: 5/13/2010 8:59:00 AM - Software Distribution Service 3.0
RP104: 5/26/2010 11:01:52 AM - Software Distribution Service 3.0
RP105: 5/30/2010 11:40:22 PM - System Checkpoint
RP106: 6/8/2010 8:47:18 PM - System Checkpoint
RP107: 6/12/2010 6:27:36 PM - System Checkpoint
RP108: 6/14/2010 8:01:40 PM - System Checkpoint
RP109: 6/23/2010 6:28:14 PM - System Checkpoint
RP110: 6/30/2010 6:04:09 PM - System Checkpoint
RP111: 7/2/2010 8:29:52 AM - Software Distribution Service 3.0
RP112: 7/5/2010 6:30:32 PM - System Checkpoint

==== Installed Programs ======================


ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Agatha Christie - Dead Man's Folly (remove only)
Annie's Millions
AOLIcon
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Big City Adventure Vancouver (remove only)
Bonjour
Broadcom Management Programs
Cate West The Vanishing Files
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Consumer Complete Care Services Agreement
Cooking Dash - DinerTown Studios (remove only)
Corel Paint Shop Pro X
Corel Photo Album 6
Critical Update for Windows Media Player 11 (KB959772)
Dell PC Fax
Dell Photo AIO Printer 926
Dell Support 3.2.1
Dell System Restore
Dell Wireless WLAN Card
DellConnect
Digital Content Portal
Digital Line Detect
Diner Dash - Flo on the Go + Together
Diner Dash 2
Diner Dash Hometown Hero - Gourmet
Documentation & Support Launcher
Dream Chronicles - The Chosen Child
Dream Day Bundle (remove only)
Dream Day First Home (remove only)
Dream Day Honeymoon (remove only)
Dream Day Wedding (remove only)
EarthLink Setup Files
EducateU
Elementals - The Magic Key(TM)
ESET Smart Security
ESPNMotion
G.H.O.S.T Hunters (remove only)
GameHouse
Games, Music, & Photos Launcher
GemMaster Mystic
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hawaiian Explorer Pearl Harbor
Hidden Expedition - Titanic (remove only)
Hidden Secrets - The Nightmare
Hidden Secrets - The Nightmare (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Insider Tales - The Stolen Venus
iSEEK AnswerWorks English Runtime
iTunes
iWin Games (remove only)
Jane's Hotel (remove only)
Jane's Hotel Family Hero
Java(TM) 6 Update 17
Jetsetter (remove only)
Jewel Match 2
Jewel Quest 3
Jewel Quest II (remove only)
Learn2 Player (Uninstall Only)
Lilly Wu and the Terra Cotta Mystery
Little Shop - Big City
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2006
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mortimer Beckett and the Lost King (remove only)
Mortimer Beckett and the Time Paradox (remove only)
Mozilla Firefox (3.0.10)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Case Files - Prime Suspects (remove only)
Mystery Case Files - Ravenhearst (remove only)
Mystery Case Files Huntsville (remove only)
Mystery Case Files Ravenhearst
Nancy Drew - The Phantom of Venice
Nancy Drew: Danger on Deception Island
Nancy Drew: Ghost Dogs of Moon Lake
Nancy Drew: Last Train to Blue Moon Canyon
Nancy Drew: Secret of Shadow Ranch
Nancy Drew: Secret of the Scarlet Hand
Nancy Drew: Secrets Can Kill
Nancy Drew: The Curse of Blackmoor Manor
Nancy Drew: The Haunted Carousel
Natalie Brooks - Secrets of Treasure House
Natalie Brooks 2
Natalie Brooks Secrets of Treasure House
Natalie Brooks: Secrets of Treasure House (remove only)
National Geographic Games Herod's Lost Tomb©
OptiPix Pro
Otto
ProfileWatcher 2.0
Qualxserve Service Agreement
QuickSet
QuickTime
Rainforest Adventure
RealArcade
RealPlayer Basic
RollerCoaster Tycoon 3
Safari
Sandlot Games Client Services 1.2.2
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Snack to the Future (Diner Dash Hometown Hero - Gourmet)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SpywareBlaster 4.2
Synaptics Pointing Device Driver
The Clockwork Man
The Dash Slipper (Diner Dash Hometown Hero - Gourmet)
The Mushroom Age
Trainz Driver - North American Edition
Turbo Fiesta
TurboTax 2008
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 wcaiper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Uniblue RegistryBooster
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB943729)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Verizon Help and Support Tool
Vz In Home Agent
WebFldrs XP
WexTech AnswerWorks
WIDCOMM Bluetooth Software
WildTangent Games
WildTangent ORB Game Console
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinPatrol 2009
Wizard's Pen(TM)
Works Upgrade
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer

==== Event Viewer Messages From Past Week ========

7/5/2010 6:10:24 PM, error: Service Control Manager [7038] - The SSDPSRV service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
7/5/2010 6:10:24 PM, error: Service Control Manager [7001] - The Media Center Extender Service service depends on the SSDP Discovery Service service which failed to start because of the following error: The service did not start due to a logon failure.
7/5/2010 6:10:24 PM, error: Service Control Manager [7000] - The SSDP Discovery Service service failed to start due to the following error: The service did not start due to a logon failure.
7/5/2010 6:10:18 PM, error: Print [19] - Sharing printer failed + 1722, Printer Dell Photo AIO Printer 926 share name Printer2.
7/3/2010 4:18:16 PM, error: PlugPlayManager [11] - The device Root\LEGACY_DIALMGR\0000 disappeared from the system without first being prepared for removal.
7/1/2010 10:43:48 AM, error: Service Control Manager [7000] - The Logitech Bluetooth Service service failed to start due to the following error: The system cannot find the file specified.
7/1/2010 10:34:40 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
7/1/2010 10:33:56 AM, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
7/1/2010 10:32:30 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/1/2010 10:32:30 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Workstation service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Wireless Zero Configuration service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Audio service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Task Scheduler service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Shell Hardware Detection service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Error Reporting Service service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DHCP Client service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the CryptSvc service to connect.
7/1/2010 10:32:27 AM, error: Service Control Manager [7001] - The Computer Browser service depends on the Workstation service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The Workstation service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The Wireless Zero Configuration service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The Windows Audio service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The Task Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The DHCP Client service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/1/2010 10:32:27 AM, error: Service Control Manager [7000] - The CryptSvc service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2010 4:16:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HID Input Service service to connect.
6/30/2010 4:16:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Help and Support service to connect.
6/30/2010 4:16:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Cryptographic Services service to connect.
6/30/2010 4:16:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the COM+ Event System service to connect.
6/30/2010 4:16:32 PM, error: Service Control Manager [7001] - The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2010 4:16:32 PM, error: Service Control Manager [7000] - The HID Input Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2010 4:16:32 PM, error: Service Control Manager [7000] - The Help and Support service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2010 4:16:32 PM, error: Service Control Manager [7000] - The Cryptographic Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2010 4:16:32 PM, error: Service Control Manager [7000] - The COM+ Event System service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/30/2010 4:10:21 PM, error: Service Control Manager [7038] - The RemoteRegistry service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error: Access is denied. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
6/30/2010 4:10:21 PM, error: Service Control Manager [7000] - The Remote Registry service failed to start due to the following error: The service did not start due to a logon failure.

==== End Of File ===========================


DDS2


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mx at 19:17:16.50 on Mon 07/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.575 [GMT -7:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Utility\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Mx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=41&sid=v300
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,[email protected]
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [WinPatrol] c:\utility\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://dcode.support.microsoft.com/dcode/ActiveX/MSDcode.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1242705271296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-4-9 731840]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-4-27 78104]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-1 136176]

=============== Created Last 30 ================

2010-07-06 00:53:28 0 d-----w- c:\docume~1\mx\applic~1\Malwarebytes
2010-07-06 00:53:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 00:53:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-06 00:53:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-01 23:44:48 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-01 17:25:51 98816 ----a-w- c:\windows\sed.exe
2010-07-01 17:25:51 77312 ----a-w- c:\windows\MBR.exe
2010-07-01 17:25:51 256512 ----a-w- c:\windows\PEV.exe
2010-07-01 17:25:51 161792 ----a-w- c:\windows\SWREG.exe
2010-06-24 01:03:43 0 d-----w- C:\downloads
2010-06-19 03:49:58 0 d-----w- c:\docume~1\mx\applic~1\Uniblue

==================== Find3M ====================

2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-03-17 06:41:42 104 --sh--r- c:\windows\system32\CBCCB78211.sys
2010-03-17 06:41:47 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:19:07.84 ===============
:wave:
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Sounds to me like Eset is doing it's job. Could it be a notification from the firewall portion of Eset? It's not unusual for IP blocks to be reported frequently.

I'd need to see a rootkit scan to be more certain. Had you asked for other instructions after the first or second failed attempt, I'd have been happy to provide them. :smile:


Let's try this version of gmer.


Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Files
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


If you still have troubles, try running the scan in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

If you still have troubles, run the scan with ONLY the Sections and C drive boxes ticked.



Click the image to enlarge it
 

·
Registered
Joined
·
59 Posts
Discussion Starter #11
lsass.exe

Hello TetonBob

thanks for the assist.
new version of gmer is running. I will post log at its completion.

one cause of slow processing may be that the cpu is showing full utilization.
I have shut down as many processes as possible that are using time on the processor. One that is getting 50% of cpu time is lsass.exe. I understand it is relevant, even critical... but it must be running due to something trying to gain priviledge. I disable Eset when gmer runs; I also pull the ethernet wire.
That is all I know, :upset:
Aw
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
GMER and any rootkit scanner do use a lot of clock time as they poll the deepest recesses of the OS.

It may be that running the scan in Safe Mode will be the most effective for you. Also, if you just select C drive and Sections, the scan will be relatively short.
 

·
Registered
Joined
·
59 Posts
Discussion Starter #13
Thanks for the prompt reply. I am taking advantage of your offer to look at options -- such that the first two passes crashed >> one lock up and a BSOD "PFN file corrupt" msg.

I will run the newest version of gmer in safe mode with chked selections as you suggest in order to give you some type of log soon
Aw
 

·
Registered
Joined
·
59 Posts
Discussion Starter #14
No joy. This version of gmer has similar results -- long run times, crash, hang ...
I was unable to get a log from a scan when in safe mode -- the screen was abridged and I could not use the save or copy buttons to capture the log. I tried using a plug in monitor but it will not start up from safe mode. That is the current status, with no change in the IE hijackings. Will continue to try to get a gmer scan log until I hear further from you.
Aw
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
I'm not sure I know what you mean about "IE hijackings". Please capture a screenshot and attach it. From your earlier description, as I mentioned, it seems like it's your AV stopping you from accessing bad URLs.

Only try to run the gmer scan with Sections and C drive checked. Nothing else.

If still no joy, try this tool

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Attach it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
 

·
Registered
Joined
·
59 Posts
Discussion Starter #16
Unhook

thanks again teton,
here is an unhooker report. I will continue to work with gmer as you instructed.
Aw

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0DC000 C:\WINDOWS\System32\ati3duag.dll 2756608 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF37D000 C:\WINDOWS\System32\ativvaxx.dll 1753088 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF6A20000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1638400 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF18F5000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xF17C6000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6842000 C:\WINDOWS\system32\DRIVERS\btkrnl.sys 835584 bytes (Broadcom Corporation., Bluetooth Bus Enumerator)
0xB6874000 C:\WINDOWS\system32\DRIVERS\eamon.sys 770048 bytes (ESET, Amon monitor)
0xF1716000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF73C9000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF145F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6764000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF161D000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB5BC1000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF66D9000 C:\WINDOWS\system32\drivers\btaudio.sys 319488 bytes (Broadcom Corporation., Bluetooth Audio Device)
0xF6960000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 311296 bytes (REDC, RICOH XD SM Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF055000 C:\WINDOWS\System32\ati2cqag.dll 282624 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 274432 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF09A000 C:\WINDOWS\System32\atikvmag.dll 270336 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB5E20000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF18C3000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF67EA000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF6931000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF7522000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB6389000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF739C000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB5043000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF14F5000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF69E4000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF15E2000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF74CC000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF14CF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF66B5000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF69C0000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB6809000 C:\WINDOWS\system32\DRIVERS\epfw.sys 143360 bytes (ESET, ESET Personal Firewall driver)
0xF690E000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF15C0000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7494000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74F2000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF16A9000 C:\WINDOWS\system32\DRIVERS\ehdrv.sys 118784 bytes (ESET, ESET Helper driver)
0xF7382000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB6845000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB682C000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF74B4000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF141F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7456000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF682B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB685E000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF746D000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xB668C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF69AC000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF6A0C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF160A000 C:\WINDOWS\system32\DRIVERS\epfwtdi.sys 77824 bytes (ESET, ESET Personal Firewall TDI filter)
0xF1676000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7482000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7511000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF681A000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7831000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xF6BD0000 C:\WINDOWS\System32\Drivers\btwusb.sys 65536 bytes (Broadcom Corporation., Driver for Bluetooth USB Devices)
0xF7731000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7871000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76D1000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF76A1000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7711000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF6C20000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7881000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF118B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6BE0000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF76B1000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7691000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7851000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF78B1000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7841000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 53248 bytes (REDC, RICOH MS Driver)
0xF7671000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76E1000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF78A1000 C:\WINDOWS\system32\DRIVERS\Epfwndis.sys 45056 bytes (ESET, ESET Personal Firewall NDIS filter)
0xF7701000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7861000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7661000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF78C1000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF117B000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF7891000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 40960 bytes (GEAR Software Inc., CD DVD Filter)
0xF7651000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF6C10000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF6C30000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF7681000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7821000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF6C40000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF6BC0000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB5F19000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF116B000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF76F1000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7919000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7949000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF7A31000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7931000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF78D1000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7A39000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 28672 bytes (REDC, RICOH MMC Driver)
0xB914A000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xB9CCB000 C:\WINDOWS\system32\drivers\btserial.sys 24576 bytes (Broadcom Corporation., Bluetooth Serial Driver for Windows 2000)
0xF7A49000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7A41000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7929000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF7A29000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7939000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7941000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7911000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xF78D9000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7A59000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF78E1000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF78F1000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7A51000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7959000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF67CA000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xF7A69000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF6DC2000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF7B09000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF1437000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB952C000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7A61000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7A65000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF16F6000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF735A000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB5C18000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF6DAA000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF734A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes
0xF6DC6000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7BCF000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
0xF7BA9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB8BF1000 C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys 8192 bytes (GTek Technologies Ltd., Process Trigger Driver)
0xF7BC1000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7BA7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B51000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7BAB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7BAD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B97000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7B99000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB8BE5000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B95000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B53000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7D20000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D11000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7CED000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C19000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7D4C000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7D4B000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
!!!!!!!!!!!Hidden driver: 0x865DDAEA ?_empty_? 1302 bytes
0x865DDEC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x86E0A030 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF74B4000 WARNING: suspicious driver modification [atapi.sys::0x865DDAEA]
0x05950000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 1077248 bytes
0xF734A000 WARNING: Virus alike driver modification [rasacd.sys], 12288 bytes
0x058F0000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 126976 bytes
0x866A4F53 Unknown page with executable code, 173 bytes
0x03680000 Hidden Image-->System.XML.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 2060288 bytes
0x04A40000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 266240 bytes
0x04790000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 270336 bytes
0x05D00000 Hidden Image-->log4net.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 282624 bytes
0x04430000 Hidden Image-->System.Data.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 2961408 bytes
0x04FD0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 307200 bytes
0x038A0000 Hidden Image-->System.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 3190784 bytes
0x068C0000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 421888 bytes
0x035E0000 Hidden Image-->System.configuration.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 438272 bytes
0x8672BE44 Unknown page with executable code, 444 bytes
0x01380000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 471040 bytes
0x04880000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 479232 bytes
0x06350000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 479232 bytes
0x05220000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 5033984 bytes
0x012F0000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 53248 bytes
0x05770000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 634880 bytes
0x86733D66 Unknown page with executable code, 666 bytes
0x01330000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 77824 bytes
0x04350000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x85DE1260 ] PID: 2396, 778240 bytes
0x03590000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x85DE1260 ] PID: 2396, 86016 bytes
0x061B0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x85DE1260 ] PID: 2396, 872448 bytes
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
AW....

Don't bother with GMER. The machine is infected again with the TDL rootkit.

Run ComboFix once again. Be sure to disable protection software before doing so. Allow ComboFix to update itself when it's requested/
 

·
Registered
Joined
·
59 Posts
Discussion Starter #18
comboFix2

Here is the log from the re-run of comboFix. I have a report from the short run of gmer (I will post it though it ran prior to combo fix)

Aw

~~~~~~~~~~~~~~~
combofix2

~~~~~~~~~~~~~

ComboFix 10-07-07.02 - Mx 07/08/2010 15:59:31.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.649 [GMT -7:00]
Running from: c:\documents and settings\Mx\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 22:41 . 2004-08-10 11:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-07-08 22:41 . 2004-08-10 11:00 8832 ----a-w- c:\windows\system32\dllcache\rasacd.sys
2010-07-06 00:53 . 2010-07-06 00:53 -------- d-----w- c:\documents and settings\Mx\Application Data\Malwarebytes
2010-07-06 00:53 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-06 00:53 . 2010-07-06 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 00:53 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-01 23:44 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-01 17:34 . 2010-07-01 17:34 -------- d-----w- c:\documents and settings\Mx\Local Settings\Application Data\ESET
2010-06-24 01:03 . 2010-06-24 01:04 -------- d-----w- C:\downloads
2010-06-19 03:49 . 2010-06-19 03:49 -------- d-----w- c:\documents and settings\Mx\Application Data\Uniblue
2010-06-13 20:32 . 2010-06-13 20:32 -------- d-----w- c:\documents and settings\Serena\GameHouse

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 05:33 . 2010-07-03 05:33 27630760 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
2010-06-19 03:47 . 2010-06-19 03:47 503808 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\msvcp71.dll
2010-06-19 03:47 . 2010-06-19 03:47 499712 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\jmc.dll
2010-06-19 03:47 . 2010-06-19 03:47 348160 ----a-w- c:\documents and settings\Mx\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-4a41d78b-n\msvcr71.dll
2010-06-18 06:48 . 2007-03-15 07:27 -------- d-----w- c:\program files\Yahoo! Games
2010-06-15 22:18 . 2007-04-08 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2010-06-15 00:23 . 2010-06-15 22:18 607472 ----a-w- c:\documents and settings\All Users\Application Data\yahoo!\YUPDATER\yupdater.exe
2010-06-14 07:33 . 2008-01-12 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2010-06-14 06:41 . 2008-11-23 20:10 -------- d-----w- c:\program files\RealArcade
2010-06-13 18:58 . 2008-01-15 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Flood Light Games
2010-06-01 17:04 . 2006-12-09 18:51 -------- d-----w- c:\program files\Google
2010-05-06 10:41 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-08-16 10:18 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2005-08-16 10:18 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-03-17 06:41 . 2007-03-11 04:12 104 --sh--r- c:\windows\system32\CBCCB78211.sys
2010-03-17 06:41 . 2007-03-11 04:12 7100 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-04 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-06-07 106496]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"WinPatrol"="c:\utility\WinPatrol\winpatrol.exe" [2009-04-20 337216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [4/9/2009 3:19 PM 731840]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/27/2009 6:49 AM 78104]
S3 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/1/2010 10:04 AM 136176]
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{3580EDF3-FD1E-45C9-B565-B3A022E11F70}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.fulldotfind.com/pubac/ac.php?aid=41&sid=v300
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-08 16:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\utility\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-08 16:17:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 23:17
ComboFix2.txt 2010-07-03 23:29
ComboFix3.txt 2010-07-01 18:05
ComboFix4.txt 2009-05-18 22:41

Pre-Run: 74,695,712,768 bytes free
Post-Run: 74,793,975,808 bytes free

- - End Of File - - 08B5BA0660BD238780542B1A8096F43B

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~
gmer short run prior to combfix ~~
~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-08 15:25:51
Windows 5.1.2600 Service Pack 3
Running: cd1vrgqw.exe; Driver: C:\DOCUME~1\Mx\LOCALS~1\Temp\awtdypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\rasacd.sys entry point in ".rsrc" section [0xF7B46C14]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[136] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1428] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F6000A
.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1912] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[2248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[2248] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[2248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\rasacd.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Good work, GMER shows the same as RKU did, and also ComboFix shows it removed.


Your Java is out of date.

Java(TM) 6 Update 17 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked

    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants. This scan can take quite a while, but is very thorough.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
---------------------------------------------------------------------------------------------

Also post a new log from DDS

How are things now?
 
1 - 20 of 25 Posts
Status
Not open for further replies.
Top