Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Nasty Redirect Virus

Started by raftini , Mar 27 2011 08:44 AM

  • This topic is locked This topic is locked

#31
raftini
Posted 30 March 2011 - 02:18 PM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Will do tonight.

Thanks
  • 0

Advertisements

#32
raftini
Posted 30 March 2011 - 06:37 PM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bill, Computer seems much better. Thanks -- Here's the log:

ComboFix 11-03-30.01 - terra 03/30/2011 17:27:50.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.630 [GMT -7:00]
Running from: c:\documents and settings\terra\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\terra\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\terra\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\windows\system32\Data
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-31 00:16 . 2011-03-31 00:16 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{802B4456-9604-4888-95B3-C534C4D5CD36}\MpKsl8d314395.sys
2011-03-30 00:58 . 2011-03-30 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2011-03-30 00:53 . 2011-03-30 00:53 -------- d-----w- c:\documents and settings\terra\Local Settings\Application Data\Western Digital
2011-03-29 03:19 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{802B4456-9604-4888-95B3-C534C4D5CD36}\mpengine.dll
2011-03-27 16:01 . 2011-03-27 16:54 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-03-27 13:59 . 2011-03-27 13:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-27 13:25 . 2011-03-27 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2011-03-26 17:34 . 2011-03-26 17:44 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-26 17:33 . 2011-03-26 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-03-26 16:50 . 2011-03-27 16:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 16:50 . 2011-03-27 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-26 13:29 . 2011-03-26 13:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-26 13:29 . 2011-03-26 13:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\documents and settings\terra\Application Data\Malwarebytes
2011-03-26 13:23 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 13:23 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 13:10 . 2011-03-26 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600
2011-03-24 00:42 . 2011-03-24 00:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 00:42 . 2011-03-24 00:42 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 00:42 . 2011-03-24 00:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 00:42 . 2011-03-24 00:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 00:42 . 2011-03-24 00:42 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 00:42 . 2011-03-24 00:42 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-11 03:42 . 2011-03-11 03:42 -------- d-----w- c:\program files\WinISO
2011-03-08 03:46 . 2011-03-08 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2011-03-08 03:46 . 2011-03-08 03:46 -------- d-----w- c:\program files\SmartSound Software
2011-03-08 03:45 . 2007-03-16 00:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2011-03-08 03:45 . 2007-03-13 00:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2011-03-08 03:45 . 2007-03-13 00:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2010-10-09 22:15 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-05 01:48 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2005-08-16 10:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 10:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 10:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 10:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2011-01-26 02:24 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-07 14:09 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2005-08-16 10:18 1854976 ----a-w- c:\windows\system32\win32k.sys
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-11-19 113664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-02-23 01:00 49152 ----a-w- c:\dell\E-Center\GTB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-09 15:00 136176 ----atw- c:\documents and settings\terra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 12:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 01:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-03-20 14:00 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 23:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-10-10 05:18 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 13:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R1 MpKsl8d314395;MpKsl8d314395;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{802B4456-9604-4888-95B3-C534C4D5CD36}\MpKsl8d314395.sys [3/30/2011 5:16 PM 28752]
R1 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [1/9/2011 11:56 AM 97784]
S1 MpKslc7262cdd;MpKslc7262cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E1BAEEF-4127-4665-B377-11183AF18007}\MpKslc7262cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E1BAEEF-4127-4665-B377-11183AF18007}\MpKslc7262cdd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/5/2010 8:33 AM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL8D314395
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 15:33]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 15:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
FF - ProfilePath - c:\documents and settings\terra\Application Data\Mozilla\Firefox\Profiles\ffuujbci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
MSConfigStartUp-MSN Toolbar - c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
AddRemove-sscrLE_is1 - e:\cryptainer le\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 17:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|˙˙˙˙Ŕ•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2011-03-30 17:32:24
ComboFix-quarantined-files.txt 2011-03-31 00:32
.
Pre-Run: 128,848,732,160 bytes free
Post-Run: 128,927,694,848 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4FEAD345ECD4B9D019B3598CB6AA567A
  • 0

#33
redcar92
Posted 31 March 2011 - 01:49 PM

redcar92

    Member

  • Member
  • PipPip
  • 69 posts
Hello raftini,
Looks better and better, just a few more things to do:
Click Start -> Run and copy/paste the following single-line inside the quotebox into the Run box and click OK:

cmd /c rmdir /q/s "c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600


Next
Please use Internet Explorer to download and run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\Program Files\ESET\log.txt into your next reply.
Thanks
Bill
In Training at WTT Classroom
  • 0

#34
raftini
Posted 31 March 2011 - 07:15 PM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I did not see a "details" tab. Going to run again
  • 0

#35
raftini
Posted 31 March 2011 - 07:37 PM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
OK- I saved this:

C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-50552e45 Java/TrojanDownloader.Agent.NCM trojan
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-78a5c66d Java/TrojanDownloader.Agent.NCM trojan
C:\i386\lnksedir.dll a variant of Win32/Kryptik.LYY trojan


But it never showed a "details" tab or button

Thanks
  • 0

#36
redcar92
Posted 31 March 2011 - 09:27 PM

redcar92

    Member

  • Member
  • PipPip
  • 69 posts
Hello raftini,
Nearly done now:
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ost__p__1989082

Collect::
C:\i386\lnksedir.dll

Files::
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-50552e45
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-78a5c66d


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is your PC running now? Are there any other issues before we start to to cleanup?

Thanks,
Bill
In Training at WTT Classroom
  • 0

#37
raftini
Posted 01 April 2011 - 06:22 AM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bill, Everything seems fine.

Here's the CB log:

ComboFix 11-03-30.01 - terra 04/01/2011 5:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.644 [GMT -7:00]
Running from: c:\documents and settings\terra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\terra\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
file zipped: c:\i386\lnksedir.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\terra\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\terra\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\i386\lnksedir.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-31 01:37 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D6630366-45BC-4EB4-9801-5405C5BA8005}\mpengine.dll
2011-03-30 00:58 . 2011-03-30 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2011-03-30 00:53 . 2011-03-30 00:53 -------- d-----w- c:\documents and settings\terra\Local Settings\Application Data\Western Digital
2011-03-27 16:01 . 2011-03-27 16:54 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-03-27 13:59 . 2011-03-27 13:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-27 13:25 . 2011-03-27 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2011-03-26 17:34 . 2011-03-26 17:44 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-26 17:33 . 2011-03-26 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-03-26 16:50 . 2011-03-27 16:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 16:50 . 2011-03-27 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-26 13:29 . 2011-03-26 13:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-26 13:29 . 2011-03-26 13:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\documents and settings\terra\Application Data\Malwarebytes
2011-03-26 13:23 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 13:23 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 13:10 . 2011-03-26 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600
2011-03-24 00:42 . 2011-03-24 00:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 00:42 . 2011-03-24 00:42 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 00:42 . 2011-03-24 00:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 00:42 . 2011-03-24 00:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 00:42 . 2011-03-24 00:42 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 00:42 . 2011-03-24 00:42 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-11 03:42 . 2011-03-11 03:42 -------- d-----w- c:\program files\WinISO
2011-03-08 03:46 . 2011-03-08 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2011-03-08 03:46 . 2011-03-08 03:46 -------- d-----w- c:\program files\SmartSound Software
2011-03-08 03:45 . 2007-03-16 00:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2011-03-08 03:45 . 2007-03-13 00:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2011-03-08 03:45 . 2007-03-13 00:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2010-10-09 22:15 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-05 01:48 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2005-08-16 10:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 10:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 10:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 10:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2011-01-26 02:24 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-07 14:09 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-31_00.30.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-01 12:08 . 2011-04-01 12:08 40960 c:\windows\Temp\rtdrvmon.exe
+ 2011-04-01 12:08 . 2011-04-01 12:08 16384 c:\windows\Temp\Perflib_Perfdata_214.dat
+ 2011-04-01 01:52 . 2011-04-01 01:52 235168 c:\windows\system32\Macromed\Flash\FlashUtil10o_Plugin.exe
+ 2008-10-05 03:24 . 2011-04-01 01:52 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-11-19 113664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-02-23 01:00 49152 ----a-w- c:\dell\E-Center\GTB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-09 15:00 136176 ----atw- c:\documents and settings\terra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 12:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 01:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-03-20 14:00 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 23:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-10-10 05:18 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 13:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R1 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [1/9/2011 11:56 AM 97784]
S1 MpKslc7262cdd;MpKslc7262cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E1BAEEF-4127-4665-B377-11183AF18007}\MpKslc7262cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E1BAEEF-4127-4665-B377-11183AF18007}\MpKslc7262cdd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/5/2010 8:33 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 15:33]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 15:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
FF - ProfilePath - c:\documents and settings\terra\Application Data\Mozilla\Firefox\Profiles\ffuujbci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 05:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|˙˙˙˙Ŕ•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\cryptainersrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\terra\LOCALS~1\Temp\clclean.0001
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
.
**************************************************************************
.
Completion time: 2011-04-01 05:12:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-01 12:12
.
Pre-Run: 128,874,885,120 bytes free
Post-Run: 128,874,704,896 bytes free
.
- - End Of File - - 71C1DE77D2B4432B8B3B30FC0E200931
Upload was successful

Thank you
  • 0

#38
raftini
Posted 01 April 2011 - 07:18 AM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Bill, One thing I notice-- On boot up, just before the "welcome" screen there is a quick flash of what looks like the safe-mode screen that appears after pressing F8 (it's not that exact screen, but it looks like it).
It happens so fast I cant read it all. I know it says... "Microsoft... something", and "Windows XP Media Center...". Just wondering if that's normal OS boot-up screen.

Thanks
  • 0

#39
redcar92
Posted 01 April 2011 - 01:25 PM

redcar92

    Member

  • Member
  • PipPip
  • 69 posts
Hello raftini,
We have a couple of stubborn ones there, let's do this please:
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-50552e45
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-78a5c66d
c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600

Folder::
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-50552e45
C:\Documents and Settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-78a5c66d
c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

The screen you see at Bootup time is Recovery Console that is installed by ComboFix. It is a good thing and it is recommended to leave it installed.

Thanks
Bill
In Training at WTT Classroom
  • 0

#40
raftini
Posted 01 April 2011 - 02:03 PM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi, I will do this tonight. Thanks
  • 0

Advertisements

#41
raftini
Posted 01 April 2011 - 07:29 PM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Here we go:

ComboFix 11-04-01.01 - terra 04/01/2011 18:21:08.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.594 [GMT -7:00]
Running from: c:\documents and settings\terra\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\terra\Desktop\CFScript..txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600"
"c:\documents and settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-50552e45"
"c:\documents and settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-78a5c66d"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\terra\LOCALS~1\Temp\clclean.0001.dir.0003\~df394b.tmp
c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600
c:\documents and settings\All Users\Application Data\nEmPcOjPcGc28600\nEmPcOjPcGc28600
c:\documents and settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-50552e45
c:\documents and settings\terra\Application Data\Sun\Java\Deployment\cache\6.0\42\2c35306a-78a5c66d
c:\documents and settings\terra\Local Settings\Temp\clclean.0001.dir.0003\~df394b.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))
.
.
2011-04-01 12:24 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E8DE13CF-B905-4091-8E1B-E07EDE518C12}\mpengine.dll
2011-03-30 00:58 . 2011-03-30 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2011-03-30 00:53 . 2011-03-30 00:53 -------- d-----w- c:\documents and settings\terra\Local Settings\Application Data\Western Digital
2011-03-27 16:01 . 2011-03-27 16:54 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-03-27 13:59 . 2011-03-27 13:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-27 13:25 . 2011-03-27 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks
2011-03-26 17:34 . 2011-03-26 17:44 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-26 17:33 . 2011-03-26 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-03-26 16:50 . 2011-03-27 16:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 16:50 . 2011-03-27 16:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-26 13:29 . 2011-03-26 13:29 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-26 13:29 . 2011-03-26 13:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\documents and settings\terra\Application Data\Malwarebytes
2011-03-26 13:23 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-26 13:23 . 2011-03-26 13:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-26 13:23 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-24 00:42 . 2011-03-24 00:42 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-24 00:42 . 2011-03-24 00:42 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-24 00:42 . 2011-03-24 00:42 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-24 00:42 . 2011-03-24 00:42 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-24 00:42 . 2011-03-24 00:42 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-24 00:42 . 2011-03-24 00:42 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-03-11 03:42 . 2011-03-11 03:42 -------- d-----w- c:\program files\WinISO
2011-03-08 03:46 . 2011-03-08 03:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2011-03-08 03:46 . 2011-03-08 03:46 -------- d-----w- c:\program files\SmartSound Software
2011-03-08 03:45 . 2007-03-16 00:57 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2011-03-08 03:45 . 2007-03-13 00:42 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2011-03-08 03:45 . 2007-03-13 00:42 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2010-10-09 22:15 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-05 01:48 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48 . 2005-08-16 10:18 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58 . 2005-08-16 10:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2005-08-16 10:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2005-08-16 10:18 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2011-01-26 02:24 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-07 14:09 . 2005-08-16 10:18 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-03-24 00:42 . 2011-03-24 00:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-31_00.30.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-02 01:18 . 2011-04-02 01:18 16384 c:\windows\Temp\Perflib_Perfdata_4f0.dat
+ 2011-04-01 01:52 . 2011-04-01 01:52 235168 c:\windows\system32\Macromed\Flash\FlashUtil10o_Plugin.exe
+ 2008-10-05 03:24 . 2011-04-01 01:52 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-11-19 113664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-03 00:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 09:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-02-23 01:00 49152 ----a-w- c:\dell\E-Center\GTB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-09 15:00 136176 ----atw- c:\documents and settings\terra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 12:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
2006-07-13 05:22 57344 ----a-w- c:\program files\Lexmark 1200 Series\lxczbmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-07-13 01:05 1117184 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-03-20 14:00 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultMIDI]
2004-12-22 23:40 24576 ----a-w- c:\windows\MIDIDEF.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-10-10 05:18 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoiceCenter]
2005-09-19 13:42 1159168 ------w- c:\program files\Creative\VoiceCenter\AndreaVC.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
.
R1 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [1/9/2011 11:56 AM 97784]
S1 MpKslc7262cdd;MpKslc7262cdd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E1BAEEF-4127-4665-B377-11183AF18007}\MpKslc7262cdd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6E1BAEEF-4127-4665-B377-11183AF18007}\MpKslc7262cdd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/5/2010 8:33 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 15:33]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-05 15:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.charter.net/
FF - ProfilePath - c:\documents and settings\terra\Application Data\Mozilla\Firefox\Profiles\ffuujbci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 18:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|˙˙˙˙Ŕ•€|ů•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
Completion time: 2011-04-01 18:27:05
ComboFix-quarantined-files.txt 2011-04-02 01:27
ComboFix2.txt 2011-04-01 12:18
.
Pre-Run: 128,811,372,544 bytes free
Post-Run: 128,802,787,328 bytes free
.
- - End Of File - - 3D36B627E9587AC716B00A110552A058

thanks
  • 0

#42
redcar92
Posted 02 April 2011 - 06:15 AM

redcar92

    Member

  • Member
  • PipPip
  • 69 posts
Hello raftini,

Do NOT forget to reactivate your anti-virus.

One more DDS log please:
Double click dds.scr to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.
Please include the contents of the following in your reply using Copy / Paste:
DDS.txt & Attach.txt

Next
Your Java appears to be down level.
Navigate to Control Panel then open on Add Remove Programs.
Highlight eachJava then click on Uninstall in tool bar.
Visit this site to down load and install the latest Java.

Next
Your Adobe Reader appears to be down level.
Navigate to Control Panel then open on Add Remove Programs.
Highlight eachAdobe Reader then click on Uninstall in tool bar.
Visit this site to download and install the latest Adobe Reader

Please let me know how you PC is running now, and if there are any more issues we need to deal with.

Thanks,
Bill
In Training at WTT Classroom
  • 0

#43
raftini
Posted 02 April 2011 - 08:42 AM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Here they are -- thanks

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by terra at 7:37:24.76 on Sat 04/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.611 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\DOCUME~1\terra\LOCALS~1\Temp\clclean.0001
C:\Program Files\Icon Remover\IconRemover.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
svchost.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\terra\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.charter.net/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Google Update] "c:\documents and settings\terra\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Icon Remover] c:\program files\icon remover\IconRemover.exe /hideapp
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286416658140
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\terra\applic~1\mozilla\firefox\profiles\ffuujbci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\terra\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\terra\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl0f5a8783;MpKsl0f5a8783;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1536dd86-8c7f-47cf-831a-5f83fba3ee4a}\MpKsl0f5a8783.sys [2011-4-2 28752]
R1 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2011-1-9 97784]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-4-2 11520]
S1 MpKslc7262cdd;MpKslc7262cdd;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6e1baeef-4127-4665-b377-11183af18007}\mpkslc7262cdd.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6e1baeef-4127-4665-b377-11183af18007}\MpKslc7262cdd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-5 136176]
.
=============== Created Last 30 ================
.
2011-04-02 14:33:47 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{1536dd86-8c7f-47cf-831a-5f83fba3ee4a}\MpKsl0f5a8783.sys
2011-04-02 07:17:48 -------- d-----w- c:\docume~1\terra\applic~1\Icon Remover
2011-04-02 07:17:44 -------- d-----w- c:\program files\Icon Remover
2011-04-02 07:05:09 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2011-04-02 07:05:08 -------- d-----w- c:\program files\Western Digital
2011-04-02 04:07:15 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{1536dd86-8c7f-47cf-831a-5f83fba3ee4a}\mpengine.dll
2011-03-31 00:26:38 -------- d-sha-r- C:\cmdcons
2011-03-31 00:25:19 98816 ----a-w- c:\windows\sed.exe
2011-03-31 00:25:19 89088 ----a-w- c:\windows\MBR.exe
2011-03-31 00:25:19 256512 ----a-w- c:\windows\PEV.exe
2011-03-31 00:25:19 161792 ----a-w- c:\windows\SWREG.exe
2011-03-30 00:58:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2011-03-30 00:53:40 -------- d-----w- c:\docume~1\terra\locals~1\applic~1\Western Digital
2011-03-27 16:01:29 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-03-27 13:25:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks
2011-03-26 17:34:55 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-26 17:33:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-03-26 16:50:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-26 16:50:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-26 13:23:43 -------- d-----w- c:\docume~1\terra\applic~1\Malwarebytes
2011-03-26 13:23:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 13:23:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-26 13:23:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 13:23:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-24 00:42:11 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-24 00:42:11 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-24 00:42:11 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-24 00:42:11 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-24 00:42:10 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-24 00:42:10 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-24 00:42:09 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-24 00:42:09 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-11 03:42:46 -------- d-----w- c:\program files\WinISO
2011-03-08 03:46:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc
2011-03-08 03:46:29 -------- d-----w- c:\program files\SmartSound Software
2011-03-08 03:45:50 443752 ----a-w- c:\windows\system32\d3dx10_33.dll
2011-03-08 03:45:50 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll
2011-03-08 03:45:48 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
.
==================== Find3M ====================
.
2011-02-05 01:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-05 01:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 7:38:04.98 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/6/2010 5:28:47 PM
System Uptime: 4/2/2011 7:32:54 AM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WG261
Processor: Intel® Pentium® 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 144 GiB total, 120.305 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is FIXED (NTFS) - 931 GiB total, 876.564 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP130: 1/1/2011 5:43:59 PM - System Checkpoint
RP131: 1/1/2011 6:34:57 PM - Software Distribution Service 3.0
RP132: 1/2/2011 6:41:44 PM - Software Distribution Service 3.0
RP133: 1/3/2011 6:41:26 PM - Software Distribution Service 3.0
RP134: 1/4/2011 6:40:30 PM - Software Distribution Service 3.0
RP135: 1/5/2011 6:47:20 PM - Software Distribution Service 3.0
RP136: 1/6/2011 5:16:11 AM - Software Distribution Service 3.0
RP137: 1/6/2011 6:40:55 PM - Software Distribution Service 3.0
RP138: 1/7/2011 6:42:11 PM - Software Distribution Service 3.0
RP139: 1/8/2011 6:41:03 PM - Software Distribution Service 3.0
RP140: 1/9/2011 3:28:28 PM - Installed Windows KB954550-v5.
RP141: 1/9/2011 3:28:46 PM - Printer Driver Microsoft XPS Document Writer Installed
RP142: 1/9/2011 3:28:59 PM - Printer Driver Microsoft XPS Document Writer Installed
RP143: 1/9/2011 6:33:57 PM - Software Distribution Service 3.0
RP144: 1/10/2011 9:51:04 AM - Software Distribution Service 3.0
RP145: 1/10/2011 6:46:00 PM - Software Distribution Service 3.0
RP146: 1/11/2011 6:40:51 PM - Software Distribution Service 3.0
RP147: 1/12/2011 6:09:48 PM - Software Distribution Service 3.0
RP148: 1/12/2011 6:46:42 PM - Software Distribution Service 3.0
RP149: 1/13/2011 5:47:07 PM - Software Distribution Service 3.0
RP150: 1/14/2011 6:41:03 PM - Software Distribution Service 3.0
RP151: 1/15/2011 6:59:03 AM - Software Distribution Service 3.0
RP152: 1/15/2011 6:54:32 PM - Software Distribution Service 3.0
RP153: 1/16/2011 6:44:55 PM - Software Distribution Service 3.0
RP154: 1/17/2011 6:45:39 PM - Software Distribution Service 3.0
RP155: 1/18/2011 6:40:44 PM - Software Distribution Service 3.0
RP156: 1/19/2011 6:40:59 PM - Software Distribution Service 3.0
RP157: 1/20/2011 6:41:18 PM - Software Distribution Service 3.0
RP158: 1/21/2011 7:36:47 PM - Software Distribution Service 3.0
RP159: 1/22/2011 6:47:34 PM - Software Distribution Service 3.0
RP160: 1/23/2011 6:55:48 PM - Software Distribution Service 3.0
RP161: 1/24/2011 6:40:31 PM - Software Distribution Service 3.0
RP162: 1/25/2011 6:23:54 PM - Software Distribution Service 3.0
RP163: 1/25/2011 6:35:54 PM - Software Distribution Service 3.0
RP164: 1/26/2011 6:42:57 PM - Software Distribution Service 3.0
RP165: 1/27/2011 7:10:24 PM - Software Distribution Service 3.0
RP166: 1/28/2011 7:25:34 PM - Software Distribution Service 3.0
RP167: 1/29/2011 6:39:47 PM - Software Distribution Service 3.0
RP168: 1/30/2011 6:56:54 PM - Software Distribution Service 3.0
RP169: 1/31/2011 6:04:24 PM - Software Distribution Service 3.0
RP170: 2/1/2011 6:51:31 PM - Software Distribution Service 3.0
RP171: 2/2/2011 6:50:11 PM - Software Distribution Service 3.0
RP172: 2/3/2011 7:04:22 PM - Software Distribution Service 3.0
RP173: 2/4/2011 6:51:22 PM - Software Distribution Service 3.0
RP174: 2/5/2011 7:11:59 PM - System Checkpoint
RP175: 2/5/2011 7:13:55 PM - Software Distribution Service 3.0
RP176: 2/6/2011 7:06:57 PM - Software Distribution Service 3.0
RP177: 2/7/2011 7:07:56 PM - Software Distribution Service 3.0
RP178: 2/8/2011 6:58:49 PM - Software Distribution Service 3.0
RP179: 2/9/2011 6:17:51 PM - Software Distribution Service 3.0
RP180: 2/9/2011 7:29:03 PM - Software Distribution Service 3.0
RP181: 2/10/2011 6:57:43 PM - Software Distribution Service 3.0
RP182: 2/11/2011 7:21:39 PM - Software Distribution Service 3.0
RP183: 2/12/2011 7:29:30 AM - Installed e-Sword
RP184: 2/12/2011 7:32:35 AM - Removed Get High Speed Internet!
RP185: 2/12/2011 7:28:36 PM - Software Distribution Service 3.0
RP186: 2/13/2011 6:31:33 PM - Software Distribution Service 3.0
RP187: 2/14/2011 6:34:57 PM - Software Distribution Service 3.0
RP188: 2/15/2011 5:16:33 AM - Software Distribution Service 3.0
RP189: 2/15/2011 7:05:02 PM - Software Distribution Service 3.0
RP190: 2/16/2011 7:18:07 PM - System Checkpoint
RP191: 2/16/2011 7:27:50 PM - Software Distribution Service 3.0
RP192: 2/17/2011 7:15:43 PM - Software Distribution Service 3.0
RP193: 2/18/2011 6:27:55 PM - Installed BibleWorks 8
RP194: 2/18/2011 6:46:34 PM - Software Distribution Service 3.0
RP195: 2/18/2011 7:25:35 PM - Removed BibleWorks 8
RP196: 2/19/2011 6:42:32 PM - Software Distribution Service 3.0
RP197: 2/20/2011 8:14:53 AM - Installed Macromedia Dreamweaver 8
RP198: 2/20/2011 6:42:43 PM - Software Distribution Service 3.0
RP199: 2/21/2011 6:40:50 PM - Software Distribution Service 3.0
RP200: 2/22/2011 7:23:52 PM - Software Distribution Service 3.0
RP201: 2/23/2011 7:16:22 PM - Software Distribution Service 3.0
RP202: 2/24/2011 6:35:03 PM - Software Distribution Service 3.0
RP203: 2/25/2011 6:52:47 PM - System Checkpoint
RP204: 2/25/2011 7:00:30 PM - Software Distribution Service 3.0
RP205: 2/26/2011 7:25:55 PM - Software Distribution Service 3.0
RP206: 2/27/2011 7:54:04 AM - Software Distribution Service 3.0
RP207: 2/27/2011 7:24:03 PM - Software Distribution Service 3.0
RP208: 2/28/2011 6:36:44 PM - Software Distribution Service 3.0
RP209: 3/2/2011 7:35:34 AM - Software Distribution Service 3.0
RP210: 3/2/2011 6:42:24 PM - Software Distribution Service 3.0
RP211: 3/3/2011 6:52:07 PM - System Checkpoint
RP212: 3/3/2011 7:27:53 PM - Software Distribution Service 3.0
RP213: 3/4/2011 6:35:38 PM - Software Distribution Service 3.0
RP214: 3/5/2011 3:20:35 PM - Software Distribution Service 3.0
RP215: 3/6/2011 4:11:20 PM - System Checkpoint
RP216: 3/7/2011 6:00:13 AM - Software Distribution Service 3.0
RP217: 3/7/2011 6:49:35 PM - Software Distribution Service 3.0
RP218: 3/7/2011 7:45:43 PM - Installed DirectX
RP219: 3/7/2011 7:46:24 PM - Installed SmartSound Quicktracks Plugin
RP220: 3/8/2011 6:58:23 PM - Software Distribution Service 3.0
RP221: 3/8/2011 7:02:55 PM - Software Distribution Service 3.0
RP222: 3/8/2011 8:37:05 PM - Software Distribution Service 3.0
RP223: 3/9/2011 7:34:00 PM - Software Distribution Service 3.0
RP224: 3/10/2011 7:27:08 PM - Installed StuffIt Expander 2010.
RP225: 3/10/2011 7:29:07 PM - Software Distribution Service 3.0
RP226: 3/10/2011 7:32:15 PM - Removed StuffIt Expander 2010.
RP227: 3/11/2011 7:01:24 PM - Software Distribution Service 3.0
RP228: 3/12/2011 7:39:43 PM - Software Distribution Service 3.0
RP229: 3/13/2011 7:27:03 PM - Software Distribution Service 3.0
RP230: 3/14/2011 6:54:07 PM - Software Distribution Service 3.0
RP231: 3/15/2011 6:44:37 PM - Software Distribution Service 3.0
RP232: 3/16/2011 7:25:43 AM - Software Distribution Service 3.0
RP233: 3/16/2011 5:36:06 PM - Removed Google Earth.
RP234: 3/16/2011 7:02:36 PM - Software Distribution Service 3.0
RP235: 3/17/2011 6:51:12 PM - Software Distribution Service 3.0
RP236: 3/18/2011 6:32:12 PM - Software Distribution Service 3.0
RP237: 3/19/2011 6:37:40 PM - System Checkpoint
RP238: 3/19/2011 7:27:16 PM - Software Distribution Service 3.0
RP239: 3/20/2011 6:59:05 PM - Software Distribution Service 3.0
RP240: 3/21/2011 7:16:12 PM - Software Distribution Service 3.0
RP241: 3/22/2011 6:50:55 PM - Software Distribution Service 3.0
RP242: 3/23/2011 7:06:23 PM - Software Distribution Service 3.0
RP243: 3/24/2011 5:20:29 AM - Software Distribution Service 3.0
RP244: 3/24/2011 6:36:25 PM - Software Distribution Service 3.0
RP245: 3/25/2011 7:30:37 PM - Software Distribution Service 3.0
RP246: 3/26/2011 7:57:54 AM - Software Distribution Service 3.0
RP247: 3/26/2011 9:19:57 AM - Restore Operation
RP248: 3/26/2011 9:34:56 AM - Restore Operation
RP249: 3/26/2011 9:46:50 AM - Restore Operation
RP250: 3/27/2011 8:53:55 AM - Software Distribution Service 3.0
RP251: 3/28/2011 6:58:20 PM - Software Distribution Service 3.0
RP252: 3/29/2011 9:40:27 PM - System Checkpoint
RP253: 3/30/2011 6:37:06 PM - Software Distribution Service 3.0
RP254: 3/31/2011 7:29:00 PM - System Checkpoint
RP255: 4/1/2011 7:04:55 PM - Software Distribution Service 3.0
RP256: 4/2/2011 12:05:07 AM - Installed SES Driver
.
==== Installed Programs ======================
.
µTorrent
Adobe Acrobat - Reader 6.0.2 Update
Adobe Audition 3.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Reader 6.0.1
Andrea VoiceCenter
AOLIcon
ATI Control Panel
ATI Display Driver
Bible Analyzer 4.0
CCleaner
Charter Browser Updater
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.1
Dell System Restore
Digital Content Portal
Digital Line Detect
DirectXInstallService
e-Sword
EducateU
ELIcon
ESPNMotion
FileZilla Client 3.3.5.1
Foxit Reader
GemMaster Mystic
Google Chrome
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Icon Remover 1.4
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
Java 2 Runtime Environment, SE v1.4.2_03
Java Auto Updater
Java™ 6 Update 23
Lexmark 1200 Series
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Plus! Digital Media Edition Installer
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Modem Helper
Mozilla Firefox 4.0 (x86 en-US)
MSN
NetWaiting
Otto
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2524375)
SES Driver
SmartSound Quicktracks Plugin
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB971029)
Viewpoint Media Player
VLC media player 1.1.4
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908250
Windows XP Service Pack 3
WinISO 5.3
WinRAR archiver
WordPerfect Office 12
YouTube Downloader 2.6.2
.
==== Event Viewer Messages From Past Week ========
.
4/1/2011 5:03:55 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.101.500.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6702.0 Error code: 0x80072efd Error description: A connection with the server could not be established
3/29/2011 7:18:03 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.101.319.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6702.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
3/28/2011 7:58:08 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
3/27/2011 8:41:28 AM, error: Dhcp [1002] - The IP address lease 192.168.0.100 for the Network Card with network address 001372B0DF12 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
3/27/2011 7:01:24 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/27/2011 7:01:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/27/2011 6:59:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm MpFilter ssoftnt4
3/27/2011 6:59:24 AM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The dependency service or group failed to start.
3/27/2011 6:57:47 AM, error: Dhcp [1002] - The IP address lease 24.205.168.21 for the Network Card with network address 001372B0DF12 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
3/27/2011 6:42:33 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.101.247.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6702.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
3/27/2011 6:42:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/27/2011 6:32:08 AM, error: Dhcp [1002] - The IP address lease 0.0.0.0 for the Network Card with network address 001372B0DF12 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
3/27/2011 6:32:05 AM, error: Dhcp [1002] - The IP address lease 24.205.168.21 for the Network Card with network address 001372B0DF12 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
3/26/2011 9:59:39 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss ssoftnt4 Tcpip
3/26/2011 9:59:39 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 9:59:39 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 9:59:39 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 9:59:39 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 9:59:18 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
.
==== End Of File ===========================
  • 0

#44
raftini
Posted 02 April 2011 - 09:01 AM

raftini

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Hi Bill,

Java is now updated.
Adobe reader is removed (I'll use Foxit reader)

Everything seems normal.

How does the last log look?

Thanks
  • 0

#45
redcar92
Posted 02 April 2011 - 01:59 PM

redcar92

    Member

  • Member
  • PipPip
  • 69 posts
Hello raftini,
Your logs look clean now. Excellent job you have done. :D
Cleanup time now.

Please download ATF Cleaner by Atribune to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Posted Image

Next
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Next
This will remove OTL, OTH, DDS, & GMER
Clean up with OTL:
  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

Next
To remove RKill just right click on the icon and select delte

MalwareByte, ESET and ATF are good tools to keep and use periodically. Be sure to update MalwareBytes before running scan.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Thanks for your patience and hard work. :D
Bill
In Training at WTT Classroom
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP