[brodigan]

Ok!
Maybe this will do. I copied it on to desktop and then zipped it?

Attached Files

•  dmadmin.zip   111.73KB   98 downloads

[Advertisements]

Perfect. I'll pass it on to the guru.

Ron

[RKinner]

Perfect. I'll pass it on to the guru.

Ron

[brodigan]

Hi Ron,

Is there anything I can do now? Or do the results need to be analysed?

[RKinner]

Waiting to hear what the guru says but if you want to do something you could download and burn the Hiren's BootCD (post #31) and see if you can get it to boot off it.

[RKinner]

From the guru:

"The mbr code in the dmadmin.exe file looks like standard mbr code, whereas the code in the dump looks like custom OEM code - there's reference to using F11 to start recovery. I would be a bit leary of replacing the mbr at this time without a backup created outside of the Windows environment first. There's a good chance there is a copy of the custom mbr code in the recovery partition - but frankly, it might not be worth jumping through the hoops necessary to even find out. Provided the only real problem at this point is scanning with gmer in normal mode, I would try running it with just one option selected, then another and another until the user can determine which option is causing the hang.

This is more worrisome to me than the mbr at this time.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys


For whatever reason, that SP3 system is using an SP2 version atapi.sys
I'd either replace with the servicepackfiles copy or just over-the-top re-install SP3. "

We can fix that last easy enough.

We'll need Combofix again. If you have already removed it then download it again but call it george2.



Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\dllcache\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

Ron

[brodigan]

ComboFix 10-10-23.02 - Maureen 28/10/2010 12:33:49.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.375.198 [GMT 1:00]
Running from: c:\documents and settings\Maureen\Desktop\george.exe
Command switches used :: c:\documents and settings\Maureen\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\dllcache\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-26 20:16 . 2010-10-07 15:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3827E940-0112-4460-880B-5E7135A6E436}\mpengine.dll
2010-10-26 01:14 . 2010-10-26 01:15 -------- d-----w- c:\documents and settings\Administrator
2010-10-25 18:31 . 2010-10-25 18:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-10-24 20:43 . 2004-08-04 12:00 29760 -c--a-w- c:\windows\system32\dllcache\znetm.dll
2010-10-24 20:43 . 2004-08-04 12:00 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll
2010-10-24 20:43 . 2004-08-04 12:00 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll
2010-10-24 20:43 . 2004-08-04 12:00 4677 -c--a-w- c:\windows\system32\dllcache\zeeverm.dll
2010-10-24 20:43 . 2004-08-04 12:00 41029 -c--a-w- c:\windows\system32\dllcache\zcorem.dll
2010-10-24 20:43 . 2004-08-04 12:00 36937 -c--a-w- c:\windows\system32\dllcache\zclientm.exe
2010-10-24 20:43 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-24 20:43 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-24 20:43 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-24 20:43 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-24 20:43 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-24 20:43 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-24 20:42 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-24 20:42 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-24 20:42 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-10-24 20:42 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-24 20:42 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-10-24 20:42 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-10-24 20:42 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-10-24 20:40 . 2001-08-17 12:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2010-10-24 20:39 . 2008-04-13 18:45 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2010-10-24 20:38 . 2001-08-17 12:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-10-24 20:37 . 2001-08-17 11:10 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2010-10-24 20:36 . 2001-08-17 13:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2010-10-24 20:35 . 2001-08-17 11:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-10-24 20:34 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2010-10-24 20:33 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-10-24 20:32 . 2001-07-21 13:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-10-24 20:31 . 2001-08-17 21:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-10-24 20:30 . 2001-08-17 11:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-10-24 20:29 . 2004-08-04 12:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
2010-10-24 20:28 . 2004-08-04 12:00 131584 -c--a-w- c:\windows\system32\dllcache\pmxviceo.dll
2010-10-24 20:27 . 2001-08-17 11:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-10-24 20:26 . 2001-08-17 13:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-10-24 20:26 . 2001-08-17 12:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-10-24 20:26 . 2001-08-17 11:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-10-24 20:26 . 2001-08-17 11:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-10-24 20:26 . 2001-08-17 11:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-10-24 20:26 . 2001-08-17 11:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-10-24 20:26 . 2001-08-17 21:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-10-24 20:26 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-10-24 20:26 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-10-24 20:26 . 2001-08-17 12:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-10-24 20:26 . 2001-08-17 12:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-10-24 20:26 . 2008-04-13 18:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2010-10-24 20:24 . 2001-08-17 11:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-10-24 20:24 . 2001-08-17 11:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-10-24 20:24 . 2001-08-17 12:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-10-24 20:24 . 2001-08-17 21:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-10-24 20:24 . 2001-08-17 12:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-10-24 20:24 . 2001-08-17 21:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-10-24 20:24 . 2001-08-17 12:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-10-24 20:24 . 2004-08-04 12:00 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2010-10-24 20:24 . 2001-08-17 11:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-10-24 20:24 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-10-24 20:24 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-10-24 20:23 . 2001-08-17 12:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-10-24 20:23 . 2001-08-17 13:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-10-24 20:23 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-10-24 20:23 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-10-24 20:23 . 2001-08-17 13:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-10-24 20:23 . 2001-08-17 12:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-10-24 20:23 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-10-24 20:23 . 2001-08-17 12:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-10-24 20:22 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-10-24 20:21 . 2001-08-17 12:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-10-24 20:21 . 2004-08-04 12:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-10-24 20:21 . 2001-08-17 11:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-10-24 20:19 . 2001-08-17 11:12 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2010-10-24 20:18 . 2001-08-17 12:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-10-24 20:17 . 2001-08-17 13:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2010-10-24 20:16 . 2001-08-17 12:28 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-10-24 20:15 . 2001-08-17 21:36 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2010-10-24 20:14 . 2001-08-17 11:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-10-24 20:13 . 2001-08-17 11:19 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-10-24 20:12 . 2001-08-17 13:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2010-10-24 20:11 . 2001-08-17 12:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2010-10-24 20:10 . 2001-08-17 13:56 111232 -c--a-w- c:\windows\system32\dllcache\cl5465.dll
2010-10-24 20:09 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-10-24 20:08 . 2001-08-17 11:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2010-10-24 20:07 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-10-24 19:01 . 2010-10-24 19:02 -------- d-----w- c:\documents and settings\Maureen\Application Data\QuickScan
2010-10-24 18:49 . 2010-10-24 18:49 -------- d-sh--w- c:\documents and settings\Maureen\IECompatCache
2010-10-24 18:39 . 2010-10-24 18:39 -------- d-sh--w- c:\documents and settings\Maureen\UserData
2010-10-24 16:39 . 2010-10-24 16:39 -------- d-----w- C:\_OTL
2010-10-19 16:19 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 16:18 . 2010-10-19 16:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 16:18 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-14 11:29 . 2010-10-14 11:29 1409 ----a-w- c:\windows\QTFont.for
2010-10-01 18:09 . 2010-10-01 18:09 -------- d-sh--w- c:\documents and settings\Declan\IETldCache
2010-09-29 14:45 . 2010-10-07 15:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-28 22:16 . 2010-09-28 22:16 -------- d-sh--w- c:\documents and settings\Maureen\PrivacIE
2010-09-28 14:05 . 2010-10-14 12:05 -------- d-----w- c:\windows\ie8updates
2010-09-28 13:58 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-28 13:58 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-28 13:58 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2010-09-27 18:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 11:23 . 2004-09-20 16:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-20 16:44 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-09-20 16:44 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-20 16:44 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-09-20 16:46 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-09-20 16:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-09-20 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-09-20 16:42 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-09-20 16:46 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-09-20 16:45 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-09-20 16:45 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-09-20 16:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 19:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-09-20 16:42 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-09-20 16:45 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-09-20 16:45 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2005-01-28 12:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-01-28 12:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\David\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2005-3-1 81920]

c:\documents and settings\Maureen\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-5-13 155648]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973658002-517912522-2237625449-1010Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 09:22]

2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973658002-517912522-2237625449-1010UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 09:22]

2010-10-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 12:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\windows\zHotkey.exe
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-28 12:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-28 11:51
ComboFix2.txt 2010-10-24 17:21

Pre-Run: 58,743,087,104 bytes free
Post-Run: 58,740,940,800 bytes free

- - End Of File - - 6D3353CDA33C1E95EF5CA245E718E8C7

[brodigan]

Ron, With regards the gmer scan and doinjg it one option selected at atime, dowes this mean that I should untick all boxes except the first (sections) first and then add another when that is finished?

Do I need to keep ADS ticked at all time or any other?

Please advise.

[RKinner]

I think each time you run it you want just one section ticked and that includes ADS.

That last CFScript got rid of the atapi indication. I see there is still one file it doesn't like: mspmsnsv.dll I didn't worry about it before because the MD5 is good but perhaps we should try to find a more modern replacement. See if you have the file on your other PC that is newer than 2006-10-18. If so copy it to:


c:\windows\system32\dllcache\mspmsnsv.dll
c:\windows\system32\mspmsnsv.dll

on the sick PC.

Ron

[brodigan]

On the good computer do I just do a start-run mspmsnsv.dll to locate the file and then copy it into these two locations on the bad computer?

[RKinner]

I would just right click on Start, select Explore and navigate to c:\windows\system32\mspmsnsv.dll and look for it there. I wouldn't think it is in use unless you are playing music or a video but if it says you can't copy it then look in c:\windows\system32\dllcache\mspmsnsv.dll

You may need to make system and hidden files visible first:

# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Put a checkmark in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
# Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
# Remove the checkmark from the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.
# Now your computer is configured to show all hidden files.

You can also just let it search (including system and hidden files) and it should come up with several.

Ron

[brodigan]

Hi Ron,

On the good computer that file is older. It was created on 2004-08-04 and modified on 2006-10-18

[brodigan]

Apologies Ron,

I have found them.

[RKinner]

What version of windows media player do you have on both computers. I wonder if we upgrade to the latest version if that would replace the file?

http://www.microsoft...&displaylang=en

[RKinner]

Can you run Combofix again? Curious to see if it likes the new file.

Ron

[brodigan]

When running combofix shall I paste in the copied information again or just do a quick scan?