Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Repeated Boaxxe.E infection. Explorer crash [Solved]

Started by netnut , May 28 2010 10:51 PM

This topic is locked

#16
hammerman

Posted 30 May 2010 - 08:20 AM

Member 4k

Member
4,183 posts

hi,

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#17
netnut

Posted 30 May 2010 - 10:09 AM

Member

Topic Starter
Member
13 posts

Hi Hammerman,

Here is the Combofix log.

Netnut

ComboFix 10-05-29.05 - HP_Administrator 05/30/2010 7:58.1.1 - x86
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll
c:\documents and settings\HP_Administrator\update_hnp11a_v203R07us.bin
c:\windows\system32\drivers\neeltixf.sys
c:\windows\system32\drivers\zleojtfl.sys
c:\windows\system32\uqtfizh.dll
D:\Autorun.inf
J:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GOOGLEUPDATEBETA
-------\Legacy_ZDQKFBQB
-------\Service_zdqkfbqb

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-30 05:04 . 2010-05-30 05:04 -------- d-----w- c:\program files\ERUNT
2010-05-25 16:37 . 2010-05-25 16:37 -------- d-----w- c:\program files\iPod
2010-05-25 16:37 . 2010-05-25 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 16:37 . 2010-05-25 16:38 -------- d-----w- c:\program files\iTunes
2010-05-25 16:34 . 2010-05-25 16:34 -------- d-----w- c:\program files\QuickTime
2010-05-25 16:30 . 2010-05-25 16:30 -------- d-----w- c:\program files\Bonjour
2010-05-25 16:25 . 2010-05-25 16:25 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-25 16:10 . 2010-05-25 16:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-19 01:51 . 2010-05-19 01:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Antispyware
2010-05-18 16:21 . 2010-05-18 16:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-16 19:17 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-16 13:58 . 2010-05-12 18:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-16 13:53 . 2010-05-16 13:53 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-15 14:47 . 2010-05-15 14:47 96512 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-05-15 07:31 . 2010-05-15 14:49 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-10 17:37 . 2010-05-10 17:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-05-10 17:37 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 17:37 . 2010-05-10 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 17:37 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 17:37 . 2010-05-10 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 13:36 . 2010-05-09 13:36 -------- d-----w- c:\program files\AVG
2010-05-09 13:35 . 2010-05-18 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-08 08:28 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-05 16:55 . 2010-05-05 16:55 -------- d-----w- c:\program files\NirSoft
2010-05-05 16:17 . 2010-01-29 15:01 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-05 16:16 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 15:19 . 2005-12-12 07:08 112128 ----a-w- c:\windows\system32\zbaebwj.dll
2010-05-30 04:59 . 2005-12-20 09:12 67000 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 16:37 . 2007-10-31 05:29 -------- d-----w- c:\program files\Common Files\Apple
2010-05-25 16:18 . 2009-05-29 16:29 -------- d-----w- c:\program files\Safari
2010-05-25 16:09 . 2009-11-01 07:22 -------- d-----w- c:\program files\AirPort
2010-05-24 16:10 . 2005-12-12 07:08 136192 ----a-w- c:\windows\system32\rqeacdfa.dll
2010-05-20 17:08 . 2010-03-14 09:50 439816 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15 . 2005-12-12 07:10 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 14:55 . 2006-09-12 04:02 51140 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-01 16:23 . 2005-01-28 09:40 93511 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-03-01 16:22 . 2010-03-01 16:22 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2010-03-01 16:22 . 2010-03-01 16:22 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2005-10-02 06:37 . 2005-12-12 15:01 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe" [2006-05-10 249856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]
"Ncr"="c:\program files\Panasonic\NCR2\ncrcore.exe" [2007-09-05 954368]
"gStart"="c:\garmin\gStart.exe" [2007-08-23 1891416]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-26 180269]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-29 344064]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 1537640]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-18 81920]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
2004-09-13 23:36 267216 ----a-w- c:\program files\WildTangent\Apps\GameChannel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\ehome\\ehExtHost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour

R0 zleojtfl;zleojtfl;c:\windows\system32\drivers\zleojtfl.sys --> c:\windows\system32\drivers\zleojtfl.sys [?]
S1 MpKsl7960c51e;MpKsl7960c51e;\??\c:\windows\system32\MpEngineStore\MpKsl7960c51e.sys --> c:\windows\system32\MpEngineStore\MpKsl7960c51e.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 10:24 PM 135664]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\progra~1\AIRLIN~1\POWERL~1\PLCMPR5.SYS --> c:\progra~1\AIRLIN~1\POWERL~1\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;\??\c:\progra~1\AIRLIN~1\POWERL~1\PLCNDIS5.SYS --> c:\progra~1\AIRLIN~1\POWERL~1\PLCNDIS5.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 05:24]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 05:24]

2010-05-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]

2010-05-30 c:\windows\Tasks\User_Feed_Synchronization-{A4393606-FC5D-4B42-8CDD-87DE9A05DDD3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {F265F5E6-B418-4D27-8478-A3CFED5B0BCB} = 192.168.1.1
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://192.168.1.111:89/kxhcm10.ocx
DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} - hxxps://demo.caymas.com/ui/Axt.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4csiheuu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A150A858-31D6-4460-88BB-FCCAE8A048CC} - c:\windows\system32\uqtfizh.dll
ShellIconOverlayIdentifiers-{A150A858-31D6-4460-88BB-FCCAE8A048CC} - c:\windows\system32\uqtfizh.dll
HKLM-Run-AutoTBar - c:\program files\HP\Digital Imaging\bin\AUTOTBAR.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 08:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3928)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Updates from HP\309731\Program\Updates from HP.exe
c:\program files\Panasonic\NCR2\Ncrwd2.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SOUNDMAN.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\HPZinw12.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre1.5.0\bin\jusched.exe
.
**************************************************************************
.
Completion time: 2010-05-30 08:31:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 15:31

Pre-Run: 15,683,518,464 bytes free
Post-Run: 15,699,550,208 bytes free

- - End Of File - - 714F9103968EB6A92AEB2E00C3D52D57

#18
hammerman

Posted 30 May 2010 - 12:00 PM

Member 4k

Member
4,183 posts

Hi,

I notice that you are using more than one antivirus program. This is not necessary and will not give added protection. In fact, you may be more vulnerable to infection due to conflict between the programs and the extra resources required will inevitably slow down your computer. We recommend you use one antivirus program and regularly update it's virus definitions.

You currently have MSE, AVG and Norton installed. You will need to uninstall two of these.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\system32\zbaebwj.dll
c:\windows\system32\rqeacdfa.dll
c:\windows\system32\drivers\zleojtfl.sys

Folder::

Registry::

Driver::
zleojtfl

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#19
netnut

Posted 30 May 2010 - 07:15 PM

Member

Topic Starter
Member
13 posts

Hi Hammerman,

I tried Norton first, then AVG and now MSE. Would like to stick with MSE, but I am not sure how to uninstall the others. They dont show up in the tray, or in the Add/Delete programs or in any program Uninstall menu.
A pointer to uninstall these two would be appreciated.

Here is the Combofix log.

Thanks,

Netnut

ComboFix 10-05-29.05 - HP_Administrator 05/30/2010 11:13:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.842 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\drivers\zleojtfl.sys"
"c:\windows\system32\rqeacdfa.dll"
"c:\windows\system32\zbaebwj.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rqeacdfa.dll
c:\windows\system32\zbaebwj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZLEOJTFL
-------\Service_zleojtfl

((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-30 05:04 . 2010-05-30 05:04 -------- d-----w- c:\program files\ERUNT
2010-05-25 16:37 . 2010-05-25 16:37 -------- d-----w- c:\program files\iPod
2010-05-25 16:37 . 2010-05-25 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-25 16:37 . 2010-05-25 16:38 -------- d-----w- c:\program files\iTunes
2010-05-25 16:34 . 2010-05-25 16:34 -------- d-----w- c:\program files\QuickTime
2010-05-25 16:30 . 2010-05-25 16:30 -------- d-----w- c:\program files\Bonjour
2010-05-25 16:25 . 2010-05-25 16:25 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-25 16:10 . 2010-05-25 16:10 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-05-19 01:51 . 2010-05-19 01:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Antispyware
2010-05-18 16:21 . 2010-05-18 16:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-16 19:17 . 2009-08-07 02:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-16 13:58 . 2010-05-12 18:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-16 13:53 . 2010-05-16 13:53 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-15 14:47 . 2010-05-15 14:47 96512 ----a-w- c:\windows\system32\drivers\ATAPI.SYS
2010-05-15 07:31 . 2010-05-15 14:49 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-10 17:37 . 2010-05-10 17:37 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-05-10 17:37 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-10 17:37 . 2010-05-10 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 17:37 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-10 17:37 . 2010-05-10 17:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 13:36 . 2010-05-09 13:36 -------- d-----w- c:\program files\AVG
2010-05-09 13:35 . 2010-05-18 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-08 08:28 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-05-05 16:55 . 2010-05-05 16:55 -------- d-----w- c:\program files\NirSoft
2010-05-05 16:17 . 2010-01-29 15:01 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-05-05 16:16 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 17:08 . 2010-03-14 09:50 439816 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\Update\setup3.10\setup.exe
2010-05-30 04:59 . 2005-12-20 09:12 67000 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-25 16:37 . 2007-10-31 05:29 -------- d-----w- c:\program files\Common Files\Apple
2010-05-25 16:18 . 2009-05-29 16:29 -------- d-----w- c:\program files\Safari
2010-05-25 16:09 . 2009-11-01 07:22 -------- d-----w- c:\program files\AirPort
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15 . 2005-12-12 07:10 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-06 14:55 . 2006-09-12 04:02 51140 ---ha-w- c:\windows\system32\mlfcache.dat
2005-10-02 06:37 . 2005-12-12 15:01 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nero PhotoShow Media Manager"="c:\progra~1\Nero\NERO7~1\NEROPH~2\data\Xtras\mssysmgr.exe" [2006-05-10 249856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]
"Ncr"="c:\program files\Panasonic\NCR2\ncrcore.exe" [2007-09-05 954368]
"gStart"="c:\garmin\gStart.exe" [2007-08-23 1891416]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-08-26 180269]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-29 344064]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 1537640]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"MaxtorOneTouch"="c:\program files\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 712704]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-18 81920]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-03 61440]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2005-8-26 45056]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
2004-09-13 23:36 267216 ----a-w- c:\program files\WildTangent\Apps\GameChannel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\ehome\\ehExtHost.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Bonjour

S1 MpKsl7960c51e;MpKsl7960c51e;\??\c:\windows\system32\MpEngineStore\MpKsl7960c51e.sys --> c:\windows\system32\MpEngineStore\MpKsl7960c51e.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 10:24 PM 135664]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\progra~1\AIRLIN~1\POWERL~1\PLCMPR5.SYS --> c:\progra~1\AIRLIN~1\POWERL~1\PLCMPR5.SYS [?]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;\??\c:\progra~1\AIRLIN~1\POWERL~1\PLCNDIS5.SYS --> c:\progra~1\AIRLIN~1\POWERL~1\PLCNDIS5.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 05:24]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-14 05:24]

2010-05-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-10 01:02]

2010-05-30 c:\windows\Tasks\User_Feed_Synchronization-{A4393606-FC5D-4B42-8CDD-87DE9A05DDD3}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = hxxp://localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {F265F5E6-B418-4D27-8478-A3CFED5B0BCB} = 192.168.1.1
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://192.168.1.111:89/kxhcm10.ocx
DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} - hxxps://demo.caymas.com/ui/Axt.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4csiheuu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 11:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\WININET.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Maxtor\OneTouch\Utils\SyncServices.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Panasonic\NCR2\Ncrwd2.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZinw12.exe
c:\windows\SOUNDMAN.EXE
c:\windows\AGRSMMSG.exe
.
**************************************************************************
.
Completion time: 2010-05-30 11:29:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 18:29
ComboFix2.txt 2010-05-30 15:31

Pre-Run: 15,676,833,792 bytes free
Post-Run: 15,638,499,328 bytes free

- - End Of File - - 2C68B5DED7657710E2BD426E64420F7D

#20
hammerman

Posted 30 May 2010 - 07:25 PM

Member 4k

Member
4,183 posts

Hi,

Please use the AVG removal tool here, to completely remove AVG from your computer.

Please use the Norton removal tool here, selecting the correct version, to completely remove Norton from your computer.

Please follow these steps.

-- Step 1 --

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 2 --

Run Malwarebytes' Anti-Malware.

Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
Select the Scanner tab, select "Perform Quick Scan", then click Scan
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

-- Step 3 --

Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
Click the "Download JRE" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")

-- Step 4 --

Run OTL and select Minimal Output. Use the Quick Scan button to start a scan.
Please post the OTL report in your reply.

#21
netnut

Posted 31 May 2010 - 11:10 AM

Member

Topic Starter
Member
13 posts

Hi Hammerman,

I removed AVG and Norton, thanks for that pointer. The system feels less bloated already.
After I installed the new jre and rebooted, ffox came up with an add-on to install called xulcache. I uninstalled it. FYI.

Attached are the MBAM and the OTL logs.

Regards,

Netnut

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4158

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/31/2010 9:03:34 AM
mbam-log-2010-05-31 (09-03-34).txt

Scan type: Quick scan
Objects scanned: 147875
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL logfile created on: 5/31/2010 10:01:05 AM - Run 3
OTL by OldTimer - Version 3.2.5.1 Folder = C:\Documents and Settings\HP_Administrator\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 44.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 67.77 Gb Total Space | 14.53 Gb Free Space | 21.44% Space Free | Partition Type: NTFS
Drive D: | 6.74 Gb Total Space | 0.42 Gb Free Space | 6.19% Space Free | Partition Type: FAT32
Unable to calculate disk information.
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 697.05 Gb Total Space | 513.09 Gb Free Space | 73.61% Space Free | Partition Type: NTFS
Drive M: | 234.46 Gb Total Space | 136.54 Gb Free Space | 58.24% Space Free | Partition Type: NTFS

Computer Name: MEDIAPC
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\msfeedssync.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Panasonic\NCR2\Ncrwd2.exe (Panasonic Communications Co., Ltd.)
PRC - C:\Program Files\Panasonic\NCR2\ncrcore.exe (Panasonic Communications Co., Ltd.)
PRC - C:\Garmin\gStart.exe (GARMIN Corp.)
PRC - C:\WINDOWS\system32\HPZipm12.exe (HP)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
PRC - C:\Program Files\Nero\Nero 7\Nero PhotoShow 4\data\Xtras\mssysmgr.exe (Nero AG / Nero Inc.)
PRC - C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe (Maxtor Corporation)
PRC - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe ( )
PRC - C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe (Maxtor Corp.)
PRC - C:\WINDOWS\system32\gearsec.exe (GEAR Software)
PRC - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe (Hewlett-Packard)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe (Hewlett-Packard Co.)
PRC - C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
PRC - C:\WINDOWS\system32\HPZinw12.exe (HP)
PRC - C:\Program Files\Dantz\Retrospect\retrorun.exe (Dantz Development Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\HP_Administrator\My Documents\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msacm32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\AppPatch\acgenral.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\Documents and Settings\HP_Administrator\Local Settings\temp\IadHide5.dll (BackWeb)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)
SRV - (MaxBackServiceInt) -- C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe ()
SRV - (NTService1) -- C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe ( )
SRV - (GEARSecurity) -- C:\WINDOWS\system32\gearsec.exe (GEAR Software)
SRV - (Retrospect Helper) -- C:\Program Files\Dantz\Retrospect\rthlpsvc.exe (Dantz Development Corporation)
SRV - (RetroLauncher) -- C:\Program Files\Dantz\Retrospect\retrorun.exe (Dantz Development Corporation)

========== Driver Services (SafeList) ==========

DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)
DRV - (MSDV) -- C:\WINDOWS\system32\drivers\msdv.sys (Microsoft Corporation)
DRV - (IrBus) -- C:\WINDOWS\system32\drivers\irbus.sys (Microsoft Corporation)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ATITool) -- C:\WINDOWS\system32\drivers\ATITool.sys (W1zzard)
DRV - (MXOPSWD) -- C:\WINDOWS\system32\drivers\mxopswd.sys (Maxtor Corp.)
DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
DRV - (PcdrNdisuio) -- C:\WINDOWS\system32\drivers\PcdrNdisuio.sys (Windows ® 2000 DDK provider)
DRV - (CX23880) -- C:\WINDOWS\system32\drivers\cx88vid.sys (Conexant Systems, Inc.)
DRV - (CXTUNE) -- C:\WINDOWS\system32\drivers\cx88tune.sys (Conexant Systems, Inc.)
DRV - (CX88ENC) -- C:\WINDOWS\system32\drivers\cx88enc.sys (Conexant Systems, Inc.)
DRV - (CXAVXBAR) -- C:\WINDOWS\system32\drivers\cxavxbar.sys (Conexant Systems, Inc.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (fasttx2k) -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = A6 98 E7 03 54 4B 08 45 95 30 1C 43 95 74 6F D9 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = http://localhost;*.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/25 09:34:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/31 09:42:33 | 000,000,000 | ---D | M]

[2008/08/26 18:42:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Extensions
[2010/05/31 09:44:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\4csiheuu.default\extensions
[2010/05/31 09:43:12 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/31 09:42:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/05/31 09:42:18 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/05/30 11:22:35 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\Utils\OneTouch.exe (Maxtor Corporation)
O4 - HKLM..\Run: [MSSE] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corp.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [gStart] C:\Garmin\gStart.exe (GARMIN Corp.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [Ncr] C:\Program Files\Panasonic\NCR2\ncrcore.exe (Panasonic Communications Co., Ltd.)
O4 - HKCU..\Run: [Nero PhotoShow Media Manager] C:\Program Files\Nero\Nero 7\Nero PhotoShow 4\data\Xtras\mssysmgr.exe (Nero AG / Nero Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe (Hewlett-Packard)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} http://192.168.1.111:89/kxhcm10.ocx (KX-HCM10 Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1158547599220 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1273775401963 (MUWebControl Class)
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} https://demo.caymas.com/ui/Axt.cab (Caymas Secure Tunnel)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} https://demo.caymas....dl/jt/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540022} http://download.macr...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.micr...04/clearadj.cab (CTAdjust Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = theuppals.com
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/26 08:46:44 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 20:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2009/10/25 02:23:59 | 000,000,000 | ---D | M] - M:\Automatically Add to iTunes -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/05/31 09:50:50 | 000,854,064 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\HP_Administrator\Desktop\Norton_Removal_Tool.exe
[2010/05/31 09:42:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/31 09:42:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/30 18:44:03 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/30 18:43:14 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2010/05/30 11:20:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/30 07:55:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/30 07:55:01 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/30 07:55:01 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/30 07:55:01 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/30 07:54:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/29 22:05:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/29 22:04:31 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/25 09:37:32 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/05/25 09:37:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/05/25 09:37:22 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/05/25 09:34:09 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/05/25 09:30:34 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/05/22 02:18:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/18 18:51:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Antispyware
[2010/05/18 09:21:49 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2010/05/16 06:53:13 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/05/15 00:31:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/10 10:37:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
[2010/05/10 10:37:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/10 10:37:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/10 10:37:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/10 10:37:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/09 06:36:07 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/05/09 06:35:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/05/05 09:55:53 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2010/04/18 09:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/18 09:09:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/03/14 02:50:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/03/13 22:30:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/13 22:24:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Temp
[2010/03/04 11:38:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\My Documents\Downloads

========== Files - Modified Within 90 Days ==========

[2010/05/31 10:01:26 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A4393606-FC5D-4B42-8CDD-87DE9A05DDD3}.job
[2010/05/31 09:58:34 | 000,000,902 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/31 09:58:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/31 09:58:23 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/31 09:58:21 | 1541,984,256 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/31 09:57:18 | 004,980,736 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\ntuser.dat
[2010/05/31 09:57:16 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\HP_Administrator\ntuser.ini
[2010/05/31 09:57:09 | 000,000,186 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2010/05/31 09:50:53 | 000,854,064 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\HP_Administrator\Desktop\Norton_Removal_Tool.exe
[2010/05/31 09:45:49 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/31 09:34:00 | 000,000,906 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/30 18:43:15 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\TFC.exe
[2010/05/30 11:23:55 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/30 11:22:35 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/30 07:52:58 | 003,700,932 | R--- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
[2010/05/30 06:35:58 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\SystemLook.exe
[2010/05/30 06:28:46 | 000,005,610 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\fix.reg
[2010/05/29 22:04:31 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\NTREGOPT.lnk
[2010/05/29 22:04:31 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2010/05/29 21:59:25 | 000,067,000 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/29 21:57:15 | 000,243,920 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/29 04:03:01 | 000,000,729 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/29 04:03:01 | 000,000,279 | -HS- | M] () -- C:\boot.ini
[2010/05/25 09:38:21 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/25 09:18:17 | 000,001,854 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safari.lnk
[2010/05/24 23:48:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/24 08:56:26 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/18 09:22:23 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/16 06:53:15 | 000,000,831 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/05/14 18:38:07 | 000,001,926 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 10:37:05 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/17 08:33:26 | 000,441,690 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/17 08:33:26 | 000,382,022 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/17 08:33:26 | 000,053,640 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/09 11:41:32 | 000,000,229 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/13 01:19:22 | 000,000,022 | ---- | M] () -- C:\WINDOWS\System32\ati64hlp.stb
[2010/03/10 22:59:18 | 000,000,022 | ---- | M] () -- C:\WINDOWS\System32\ati64hl2.stb
[2010/03/06 07:55:48 | 000,051,140 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat

========== Files Created - No Company Name ==========

[2010/05/30 07:55:01 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/30 07:55:01 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/30 07:55:01 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/30 07:55:01 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/30 07:55:01 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/30 07:52:49 | 003,700,932 | R--- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
[2010/05/30 06:35:53 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\SystemLook.exe
[2010/05/30 06:28:46 | 000,005,610 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\fix.reg
[2010/05/29 22:04:31 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\NTREGOPT.lnk
[2010/05/29 22:04:31 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\ERUNT.lnk
[2010/05/25 09:38:21 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/05/16 06:58:29 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/16 06:53:14 | 000,000,831 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/05/14 18:38:07 | 000,001,926 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2010/05/10 10:37:05 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/09 06:30:39 | 1541,984,256 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/17 08:30:49 | 000,003,094 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\A150A858-31D6-4460-88BB-FCCAE8A048CC.txt
[2010/04/11 23:43:30 | 000,004,348 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\A150A858-31D6-4460-88BB-FCCAE8A048CC.txt
[2010/03/13 22:24:54 | 000,000,906 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/13 22:24:54 | 000,000,902 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/13 01:19:22 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\ati64hlp.stb
[2010/03/10 22:59:18 | 000,000,022 | ---- | C] () -- C:\WINDOWS\System32\ati64hl2.stb
[2009/12/31 01:15:18 | 000,215,144 | R--- | C] () -- C:\WINDOWS\patchw32.dll
[2009/12/31 01:14:51 | 000,215,144 | R--- | C] () -- C:\WINDOWS\pw32a.dll
[2008/03/03 23:53:48 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2008/03/03 00:04:22 | 000,000,234 | ---- | C] () -- C:\WINDOWS\PrnHlpLogConfig.ini
[2008/03/03 00:04:06 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_InstantSHareJPG.ini
[2008/03/03 00:03:53 | 000,000,217 | ---- | C] () -- C:\WINDOWS\HP_IZClosingDiscErrorPatch.ini
[2008/03/03 00:02:49 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2007/04/20 20:06:41 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2007/01/28 22:33:16 | 000,000,229 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/02/12 00:25:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\muveeapp.INI
[2006/01/24 08:44:27 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2006/01/24 08:44:07 | 000,000,167 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2006/01/24 08:41:00 | 000,000,814 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2005/12/15 23:11:46 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/12/12 00:08:40 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\uqtfizh.dll.bak
[2005/08/26 08:48:51 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/26 08:45:29 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/26 08:45:29 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/26 08:45:29 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/26 08:45:29 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/26 08:45:29 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/26 08:45:28 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/26 08:17:05 | 000,015,327 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2005/08/26 08:16:59 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2005/08/26 08:16:44 | 000,002,150 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2005/08/26 08:13:21 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/08/26 07:50:06 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/26 07:30:31 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/08/26 07:29:19 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\pythoncom22.dll
[2005/08/26 07:29:19 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\pywintypes22.dll
[2005/08/26 07:28:58 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/02/18 10:56:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/01/19 22:45:40 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2005/01/19 22:45:40 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/07/26 14:51:38 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/04/10 22:04:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2003/01/07 22:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2010/05/17 18:39:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2008/06/10 22:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GARMIN
[2007/11/04 19:36:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2006/01/13 01:00:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2009/06/26 21:02:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\My Movies
[2010/03/11 09:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Retrospect
[2006/03/26 23:35:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/05/25 09:38:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/10 05:34:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/29 09:39:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/05/31 09:45:49 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/05/31 10:01:26 | 000,000,444 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A4393606-FC5D-4B42-8CDD-87DE9A05DDD3}.job

========== Purity Check ==========

< End of report >

#22
hammerman

Posted 31 May 2010 - 12:43 PM

Member 4k

Member
4,183 posts

Hi,

Let's run a final scan for remnants.

Please follow these steps.

-- Step 1 --

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
This fix will produce a report. Please add this to your reply.

-- Step 2 --

Please do an online scan with Kaspersky WebScanner

Click on Accept

You may be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on Settings
In the scan settings, select the following:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan spyware, adware, diallers and other riskware
Scan Archives
Scan E-mail databases
Click Save
Now under ScanSelect My Computer
This will start the scanning of your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on View Report and then Save Report
Save the file to your desktop as a text file.
Copy and paste that information in your next post.

#23
netnut

Posted 01 June 2010 - 09:27 PM

Member

Topic Starter
Member
13 posts

Oh no, its back :-(

MSE reports Boaxxe.E infection and the Kapersky log shows the same infection.The J drive was not being scanned before.

See below.

thx,

netnut

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 20504067 bytes
->Temporary Internet Files folder emptied: 6118381 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 68912814 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 887 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 13832 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: uppal
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17692 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 91.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: HP_Administrator
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: uppal
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.5.1 log created on 05312010_181037

Files\Folders moved on Reboot...
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll moved successfully.

Registry entries deleted on Reboot...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 1, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 01, 2010 00:02:58
Records in database: 4194327
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
M:\

Scan statistics:
Objects scanned: 194350
Threats found: 19
Infected objects found: 26
Suspicious objects found: 1
Scan duration: 07:41:38

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_zleojtfl_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uqtfizh.dll.vir Infected: Packed.Win32.Krap.hc 1
C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP9\A0000205.dll Infected: Packed.Win32.Krap.hc 1
J:\data\atsilvan\Outlook Express\Corp 124 External - Feb2001.dbx Infected: Trojan-DDoS.Linux.Blitz.a 2
J:\data\atsilvan\Outlook Express\Corp 124 External - Feb2001.dbx Infected: Rootkit.Linux.Agent.ak 1
J:\data\atsilvan\Outlook Express\Corp 124 External - Feb2001.dbx Infected: Rootkit.Linux.Agent.c 4
J:\data\atsilvan\Outlook Express\Corp 124 External - Feb2001.dbx Infected: Rootkit.Linux.Agent.c2 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Account Investigation Warning.eml Infected: Trojan-Spy.HTML.Smitfraud.a 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Customer Notice Instructions For CIient Sun 09 Feb 2003 10 11 59 0400.eml Infected: Trojan-Spy.HTML.Bayfraud.hn 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\eBay Inc Confirm Your Details To Avoid Service Cancellation.eml Infected: Trojan-Spy.HTML.Bayfraud.hn 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\IMPORTANT INFORMATION FROM WASHINGTON MUTUAL BILLING DEPARTMENT.eml Infected: Trojan-Spy.HTML.Bankfraud.w 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Important Information Your Account.eml Infected: Trojan-Spy.HTML.Bankfraud.q 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Important Notification From Smith Barney Sat 05 Feb 2005 14 44 32 0500.eml Infected: Trojan-Spy.HTML.Smitfraud.c 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\PLEASE CONFIRM YOUR SMITH BARNEY INTERNET BANKING IDENTITY.eml Infected: Trojan-Spy.HTML.Citifraud.an 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Security Alert on Microsoft Internet Explorer.eml Infected: Trojan-Spy.HTML.Sunfraud.ai 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Smith Barney urgent security notification Mon 10 Jan 2005 22 44 11 0600.eml Infected: Trojan-Spy.HTML.Smitfraud.a 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\URGENT NOTICE FROM BILLING DEPARTMENT.eml Infected: Trojan-Spy.HTML.Usbankfraud.p 1
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Washington Mutual Security Update Please Read.eml Infected: Trojan-Spy.HTML.Bankfraud.w 1
J:\data\smalljdrive\Outlook\2004to05.pst Infected: Trojan-Spy.HTML.Paylap.ca 1
J:\data\smalljdrive\Outlook\2004to05.pst Infected: Trojan-Spy.HTML.Bayfraud.m 1
J:\data\smalljdrive\Outlook\augsepl06.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
J:\software\clonecd\SetupCloneCD.exe Infected: not-a-virus:AdWare.Win32.CommonName.be 1
J:\software\snapstream\BTV_V34_FULL.exe Infected: not-a-virus:RiskTool.Win32.PsKill.103 1

Selected area has been scanned.

#24
hammerman

Posted 02 June 2010 - 02:52 PM

Member 4k

Member
4,183 posts

Hi,

You have a few infected e-mails there. Some I cannot remove so be careful when you open up any attachments to e-mails. I suggest you delete anything suspicious.

MSE reports Boaxxe.E infection and the Kapersky log shows the same infection.

Which detection in the Kaspersky log do you mean? Can you give me details of what MSE is detecting. It could be something we've already deleted.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Account Investigation Warning.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Customer Notice Instructions For CIient Sun 09 Feb 2003 10 11 59 0400.eml 
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\eBay Inc Confirm Your Details To Avoid Service Cancellation.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\IMPORTANT INFORMATION FROM WASHINGTON MUTUAL BILLING DEPARTMENT.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Important Information Your Account.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Important Notification From Smith Barney Sat 05 Feb 2005 14 44 32 0500.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\PLEASE CONFIRM YOUR SMITH BARNEY INTERNET BANKING IDENTITY.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Security Alert on Microsoft Internet Explorer.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Smith Barney urgent security notification Mon 10 Jan 2005 22 44 11 0600.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\URGENT NOTICE FROM BILLING DEPARTMENT.eml
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Washington Mutual Security Update Please Read.eml

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
This fix will produce a report. Please add this to your reply.

#25
netnut

Posted 02 June 2010 - 07:22 PM

Member

Topic Starter
Member
13 posts

Hi Hammerman,

In the Kapersky log this entry:
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_zleojtfl_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uqtfizh.dll.vir Infected: Packed.Win32.Krap.hc 1

When I Googled the first one it said it is the same as the Boaxxe.E infection.

MSE said the following on 6/1/2010 (the real time protection)
Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommendation: Remove this software immediately.

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the 'Allow' action and click 'Apply actions'. If this option is not available, log on as administrator or ask the local administrator for help.

Items:
file:C:\WINDOWS\system32\uqtfizh.dll.bak

Get more information about this item online.

And here is the OTL Log

All processes killed
========== FILES ==========
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Account Investigation Warning.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Customer Notice Instructions For CIient Sun 09 Feb 2003 10 11 59 0400.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\eBay Inc Confirm Your Details To Avoid Service Cancellation.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\IMPORTANT INFORMATION FROM WASHINGTON MUTUAL BILLING DEPARTMENT.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Important Information Your Account.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Important Notification From Smith Barney Sat 05 Feb 2005 14 44 32 0500.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\PLEASE CONFIRM YOUR SMITH BARNEY INTERNET BANKING IDENTITY.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Security Alert on Microsoft Internet Explorer.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Smith Barney urgent security notification Mon 10 Jan 2005 22 44 11 0600.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\URGENT NOTICE FROM BILLING DEPARTMENT.eml moved successfully.
J:\data\c_on_intelpc\prerna\recovmail\Inbox_dbx\Washington Mutual Security Update Please Read.eml moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP_Administrator
->Temp folder emptied: 188184323 bytes
->Temporary Internet Files folder emptied: 8334223 bytes
->Java cache emptied: 128094 bytes
->FireFox cache emptied: 51814698 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService
->Temp folder emptied: 18808 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: uppal
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 700653 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 238.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: HP_Administrator
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: uppal
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.5.1 log created on 06022010_181146

Files\Folders moved on Reboot...
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\IadHide5.dll moved successfully.

Registry entries deleted on Reboot...

Thanks!

Sanjay

#26
hammerman

Posted 03 June 2010 - 12:06 AM

Member 4k

Member
4,183 posts

Hi,

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_zleojtfl_.sys.zip Infected: Trojan.Win32.BHO.ext 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\uqtfizh.dll.vir Infected: Packed.Win32.Krap.hc 1

These are files deleted by Combofix and placed in it's quarantine. They will get removed when we uninstall Combofix.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files
[2005/12/12 00:08:40 | 000,112,128 | ---- | C] () -- C:\WINDOWS\System32\uqtfizh.dll.bak

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done

Apart from that file, your computer appears clean

Let's remove the tools we've been using.

Please follow these steps.

-- Step 1 --

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

-- Step 2 --

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Here are some measures you can take to ensure that your computer remains clean.

1. Updates

Windows Updates

It is essential that you regularly check and install the latest Windows Updates. Vulnerabilities within Windows can leave your computer open to infection. Regular updates are released to fix these security vulnerabilities. It is recommended that you set Windows to check, download and install your updates automatically.

Click Start
Select Control Panel
Click on Automatic (recommended)
Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
Click Apply then OK.

Java Updates

As with Windows, Java also needs to be regularly updated to fix security vulnerabilites. You can download the latest version of the Java Runtime Environment (JRE) from here. Download, install and reboot your computer. You also need to uininstall older versions of Java.

Click Start
Select Control Panel
Select Add or Remove Programs
Remove all Java updates except the latest one you have just installed.

Adobe Updates

Your Adobe reader needs updating. You should ensure you use the latest Adobe Acrobat Reader and install any security updates that are released. You can download the latest reader and updates from here.

Other Updates

Regularly check for updates for all your security programs including firewall, antivirus, antispyware etc

2. Security Programs

Here is a list of security programs that I would recommend.

Firewall

A firewall is essential to stop hackers infiltrating your computer. The following firewalls are free for personal use. Do not install more than one firewall.

Zone Alarm is an excellent free basic firewall which is very easy to use.
Online-Armor Free is a more advanced firewall which includes a Host Intrusion Protection System (HIPS). This ensures that unrecognised programs will not run unless you give permission.

Antivirus

An antivirus program is essential. The following antivirus programs are free for personal use. Do not use more than one antivirus and always update virus definitions regularly.

AVG
Avira Free
Avast

Anti-Malware

Malwarebytes Anti-Malware MBAM is an excellent anti-malware tool that should be updated and a Quick Scan performed regularly. A Full Scan does not have to be carried out on such a regular basis as the developers aim to detect the vast majority of malware with the Quick Scan. The scanner is free for on-demand scans only.

Ad-Aware, Spybot, SuperAntispyware and A-Squared Free are also very good anti-malware programs that are free for on-demand scans. Spybot has a real-time protection feature called TeaTimer.

Prevention

SpywareBlaster is an excellent free tool for preventing the installation of spyware.
SpywareGuard offers real-time protection so that spyware is detected and blocked before it can do any harm.

Cleaner

ATF Cleaner removes temporary Internet Explorer, Firefox and Windows files.

Browser

Firefox is an alternative browser to Internet Explorer and is more secure.
NoScript is an add-on for Firefox and prevents execution of malicious scripts.
MVPS is a HOSTS file to replace your existing file. This prevents you connecting to a list of well-known ad sites.

#27
netnut

Posted 04 June 2010 - 10:17 AM

Member

Topic Starter
Member
13 posts

Hi Hammerman,

Thanks a million! The system is bug free! I really appreciate all the help and have implemented most of the recommendations in your list.

And I am certainly much the wiser about malware in general.

Regards,

Netnut

#28
hammerman

Posted 04 June 2010 - 01:24 PM

Member 4k

Member
4,183 posts

Glad to help you. Stay safe

#29
hammerman

Posted 06 June 2010 - 05:05 AM

Member 4k

Member
4,183 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.