Maybe this will do. I copied it on to desktop and then zipped it?
Gmer scan not completing
Started by
brodigan
, Oct 19 2010 10:37 AM
#61
Posted 27 October 2010 - 09:01 AM
Maybe this will do. I copied it on to desktop and then zipped it?
#62
Posted 27 October 2010 - 09:03 AM
Perfect. I'll pass it on to the guru.
Ron
Ron
#63
Posted 27 October 2010 - 08:16 PM
Hi Ron,
Is there anything I can do now? Or do the results need to be analysed?
Is there anything I can do now? Or do the results need to be analysed?
#64
Posted 27 October 2010 - 08:43 PM
Waiting to hear what the guru says but if you want to do something you could download and burn the Hiren's BootCD (post #31) and see if you can get it to boot off it.
#65
Posted 28 October 2010 - 02:14 AM
From the guru:
"The mbr code in the dmadmin.exe file looks like standard mbr code, whereas the code in the dump looks like custom OEM code - there's reference to using F11 to start recovery. I would be a bit leary of replacing the mbr at this time without a backup created outside of the Windows environment first. There's a good chance there is a copy of the custom mbr code in the recovery partition - but frankly, it might not be worth jumping through the hoops necessary to even find out. Provided the only real problem at this point is scanning with gmer in normal mode, I would try running it with just one option selected, then another and another until the user can determine which option is causing the hang.
This is more worrisome to me than the mbr at this time.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
For whatever reason, that SP3 system is using an SP2 version atapi.sys
I'd either replace with the servicepackfiles copy or just over-the-top re-install SP3. "
We can fix that last easy enough.
We'll need Combofix again. If you have already removed it then download it again but call it george2.
Copy the text between the lines of stars by highlighting and Ctrl + c.
******************************************
Killall:
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\dllcache\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
******************************************
Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.
Pause your anti-virus.
Drag it over to george and let it start as before.
Post the new log.
Ron
"The mbr code in the dmadmin.exe file looks like standard mbr code, whereas the code in the dump looks like custom OEM code - there's reference to using F11 to start recovery. I would be a bit leary of replacing the mbr at this time without a backup created outside of the Windows environment first. There's a good chance there is a copy of the custom mbr code in the recovery partition - but frankly, it might not be worth jumping through the hoops necessary to even find out. Provided the only real problem at this point is scanning with gmer in normal mode, I would try running it with just one option selected, then another and another until the user can determine which option is causing the hang.
This is more worrisome to me than the mbr at this time.
------- Sigcheck -------
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
For whatever reason, that SP3 system is using an SP2 version atapi.sys
I'd either replace with the servicepackfiles copy or just over-the-top re-install SP3. "
We can fix that last easy enough.
We'll need Combofix again. If you have already removed it then download it again but call it george2.
Copy the text between the lines of stars by highlighting and Ctrl + c.
******************************************
Killall:
FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\dllcache\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
******************************************
Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.
Pause your anti-virus.
Drag it over to george and let it start as before.
Post the new log.
Ron
#66
Posted 28 October 2010 - 06:15 AM
ComboFix 10-10-23.02 - Maureen 28/10/2010 12:33:49.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.375.198 [GMT 1:00]
Running from: c:\documents and settings\Maureen\Desktop\george.exe
Command switches used :: c:\documents and settings\Maureen\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\dllcache\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.
2010-10-26 20:16 . 2010-10-07 15:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3827E940-0112-4460-880B-5E7135A6E436}\mpengine.dll
2010-10-26 01:14 . 2010-10-26 01:15 -------- d-----w- c:\documents and settings\Administrator
2010-10-25 18:31 . 2010-10-25 18:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-10-24 20:43 . 2004-08-04 12:00 29760 -c--a-w- c:\windows\system32\dllcache\znetm.dll
2010-10-24 20:43 . 2004-08-04 12:00 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll
2010-10-24 20:43 . 2004-08-04 12:00 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll
2010-10-24 20:43 . 2004-08-04 12:00 4677 -c--a-w- c:\windows\system32\dllcache\zeeverm.dll
2010-10-24 20:43 . 2004-08-04 12:00 41029 -c--a-w- c:\windows\system32\dllcache\zcorem.dll
2010-10-24 20:43 . 2004-08-04 12:00 36937 -c--a-w- c:\windows\system32\dllcache\zclientm.exe
2010-10-24 20:43 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-24 20:43 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-24 20:43 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-24 20:43 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-24 20:43 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-24 20:43 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-24 20:42 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-24 20:42 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-24 20:42 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-10-24 20:42 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-24 20:42 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-10-24 20:42 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-10-24 20:42 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-10-24 20:40 . 2001-08-17 12:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2010-10-24 20:39 . 2008-04-13 18:45 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2010-10-24 20:38 . 2001-08-17 12:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-10-24 20:37 . 2001-08-17 11:10 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2010-10-24 20:36 . 2001-08-17 13:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2010-10-24 20:35 . 2001-08-17 11:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-10-24 20:34 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2010-10-24 20:33 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-10-24 20:32 . 2001-07-21 13:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-10-24 20:31 . 2001-08-17 21:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-10-24 20:30 . 2001-08-17 11:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-10-24 20:29 . 2004-08-04 12:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
2010-10-24 20:28 . 2004-08-04 12:00 131584 -c--a-w- c:\windows\system32\dllcache\pmxviceo.dll
2010-10-24 20:27 . 2001-08-17 11:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-10-24 20:26 . 2001-08-17 13:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-10-24 20:26 . 2001-08-17 12:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-10-24 20:26 . 2001-08-17 11:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-10-24 20:26 . 2001-08-17 11:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-10-24 20:26 . 2001-08-17 11:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-10-24 20:26 . 2001-08-17 11:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-10-24 20:26 . 2001-08-17 21:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-10-24 20:26 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-10-24 20:26 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-10-24 20:26 . 2001-08-17 12:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-10-24 20:26 . 2001-08-17 12:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-10-24 20:26 . 2008-04-13 18:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2010-10-24 20:24 . 2001-08-17 11:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-10-24 20:24 . 2001-08-17 11:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-10-24 20:24 . 2001-08-17 12:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-10-24 20:24 . 2001-08-17 21:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-10-24 20:24 . 2001-08-17 12:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-10-24 20:24 . 2001-08-17 21:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-10-24 20:24 . 2001-08-17 12:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-10-24 20:24 . 2004-08-04 12:00 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2010-10-24 20:24 . 2001-08-17 11:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-10-24 20:24 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-10-24 20:24 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-10-24 20:23 . 2001-08-17 12:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-10-24 20:23 . 2001-08-17 13:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-10-24 20:23 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-10-24 20:23 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-10-24 20:23 . 2001-08-17 13:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-10-24 20:23 . 2001-08-17 12:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-10-24 20:23 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-10-24 20:23 . 2001-08-17 12:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-10-24 20:22 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-10-24 20:21 . 2001-08-17 12:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-10-24 20:21 . 2004-08-04 12:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-10-24 20:21 . 2001-08-17 11:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-10-24 20:19 . 2001-08-17 11:12 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2010-10-24 20:18 . 2001-08-17 12:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-10-24 20:17 . 2001-08-17 13:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2010-10-24 20:16 . 2001-08-17 12:28 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-10-24 20:15 . 2001-08-17 21:36 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2010-10-24 20:14 . 2001-08-17 11:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-10-24 20:13 . 2001-08-17 11:19 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-10-24 20:12 . 2001-08-17 13:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2010-10-24 20:11 . 2001-08-17 12:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2010-10-24 20:10 . 2001-08-17 13:56 111232 -c--a-w- c:\windows\system32\dllcache\cl5465.dll
2010-10-24 20:09 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-10-24 20:08 . 2001-08-17 11:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2010-10-24 20:07 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-10-24 19:01 . 2010-10-24 19:02 -------- d-----w- c:\documents and settings\Maureen\Application Data\QuickScan
2010-10-24 18:49 . 2010-10-24 18:49 -------- d-sh--w- c:\documents and settings\Maureen\IECompatCache
2010-10-24 18:39 . 2010-10-24 18:39 -------- d-sh--w- c:\documents and settings\Maureen\UserData
2010-10-24 16:39 . 2010-10-24 16:39 -------- d-----w- C:\_OTL
2010-10-19 16:19 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 16:18 . 2010-10-19 16:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 16:18 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-14 11:29 . 2010-10-14 11:29 1409 ----a-w- c:\windows\QTFont.for
2010-10-01 18:09 . 2010-10-01 18:09 -------- d-sh--w- c:\documents and settings\Declan\IETldCache
2010-09-29 14:45 . 2010-10-07 15:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-28 22:16 . 2010-09-28 22:16 -------- d-sh--w- c:\documents and settings\Maureen\PrivacIE
2010-09-28 14:05 . 2010-10-14 12:05 -------- d-----w- c:\windows\ie8updates
2010-09-28 13:58 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-28 13:58 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-28 13:58 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2010-09-27 18:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 11:23 . 2004-09-20 16:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-20 16:44 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-09-20 16:44 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-20 16:44 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-09-20 16:46 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-09-20 16:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-09-20 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-09-20 16:42 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-09-20 16:46 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-09-20 16:45 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-09-20 16:45 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-09-20 16:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 19:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-09-20 16:42 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-09-20 16:45 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-09-20 16:45 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
------- Sigcheck -------
[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2005-01-28 12:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-01-28 12:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\David\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2005-3-1 81920]
c:\documents and settings\Maureen\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-5-13 155648]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
Contents of the 'Scheduled Tasks' folder
2010-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973658002-517912522-2237625449-1010Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 09:22]
2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973658002-517912522-2237625449-1010UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 09:22]
2010-10-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 12:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\windows\zHotkey.exe
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-28 12:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-28 11:51
ComboFix2.txt 2010-10-24 17:21
Pre-Run: 58,743,087,104 bytes free
Post-Run: 58,740,940,800 bytes free
- - End Of File - - 6D3353CDA33C1E95EF5CA245E718E8C7
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.375.198 [GMT 1:00]
Running from: c:\documents and settings\Maureen\Desktop\george.exe
Command switches used :: c:\documents and settings\Maureen\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\dllcache\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.
2010-10-26 20:16 . 2010-10-07 15:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3827E940-0112-4460-880B-5E7135A6E436}\mpengine.dll
2010-10-26 01:14 . 2010-10-26 01:15 -------- d-----w- c:\documents and settings\Administrator
2010-10-25 18:31 . 2010-10-25 18:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-10-24 20:43 . 2004-08-04 12:00 29760 -c--a-w- c:\windows\system32\dllcache\znetm.dll
2010-10-24 20:43 . 2004-08-04 12:00 13894 -c--a-w- c:\windows\system32\dllcache\zonelibm.dll
2010-10-24 20:43 . 2004-08-04 12:00 113222 -c--a-w- c:\windows\system32\dllcache\zoneclim.dll
2010-10-24 20:43 . 2004-08-04 12:00 4677 -c--a-w- c:\windows\system32\dllcache\zeeverm.dll
2010-10-24 20:43 . 2004-08-04 12:00 41029 -c--a-w- c:\windows\system32\dllcache\zcorem.dll
2010-10-24 20:43 . 2004-08-04 12:00 36937 -c--a-w- c:\windows\system32\dllcache\zclientm.exe
2010-10-24 20:43 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-10-24 20:43 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-10-24 20:43 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-10-24 20:43 . 2001-08-17 21:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-10-24 20:43 . 2001-08-17 21:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-10-24 20:43 . 2001-08-17 21:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-10-24 20:42 . 2001-08-17 11:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-10-24 20:42 . 2004-08-03 21:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-10-24 20:42 . 2008-04-13 18:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2010-10-24 20:42 . 2004-08-03 21:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-10-24 20:42 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-10-24 20:42 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-10-24 20:42 . 2004-08-03 21:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-10-24 20:40 . 2001-08-17 12:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2010-10-24 20:39 . 2008-04-13 18:45 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2010-10-24 20:38 . 2001-08-17 12:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2010-10-24 20:37 . 2001-08-17 11:10 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2010-10-24 20:36 . 2001-08-17 13:07 16256 -c--a-w- c:\windows\system32\dllcache\symc810.sys
2010-10-24 20:35 . 2001-08-17 11:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2010-10-24 20:34 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2010-10-24 20:33 . 2008-04-13 18:46 11136 -c--a-w- c:\windows\system32\dllcache\slip.sys
2010-10-24 20:32 . 2001-07-21 13:29 161568 -c--a-w- c:\windows\system32\dllcache\sgsmusb.sys
2010-10-24 20:31 . 2001-08-17 21:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2010-10-24 20:30 . 2001-08-17 11:12 19017 -c--a-w- c:\windows\system32\dllcache\rtl8029.sys
2010-10-24 20:29 . 2004-08-04 12:00 9728 -c--a-w- c:\windows\system32\dllcache\query.exe
2010-10-24 20:28 . 2004-08-04 12:00 131584 -c--a-w- c:\windows\system32\dllcache\pmxviceo.dll
2010-10-24 20:27 . 2001-08-17 11:11 30282 -c--a-w- c:\windows\system32\dllcache\pcntn5hl.sys
2010-10-24 20:26 . 2001-08-17 13:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-10-24 20:26 . 2001-08-17 12:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-10-24 20:26 . 2001-08-17 11:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-10-24 20:26 . 2001-08-17 11:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-10-24 20:26 . 2001-08-17 11:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-10-24 20:26 . 2001-08-17 11:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-10-24 20:26 . 2001-08-17 21:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2010-10-24 20:26 . 2001-08-17 11:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-10-24 20:26 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-10-24 20:26 . 2001-08-17 12:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2010-10-24 20:26 . 2001-08-17 12:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-10-24 20:26 . 2008-04-13 18:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2010-10-24 20:24 . 2001-08-17 11:11 128000 -c--a-w- c:\windows\system32\dllcache\n100325.sys
2010-10-24 20:24 . 2001-08-17 11:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-10-24 20:24 . 2001-08-17 12:50 75520 -c--a-w- c:\windows\system32\dllcache\mxport.sys
2010-10-24 20:24 . 2001-08-17 21:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2010-10-24 20:24 . 2001-08-17 12:49 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-10-24 20:24 . 2001-08-17 21:36 19968 -c--a-w- c:\windows\system32\dllcache\mxicfg.dll
2010-10-24 20:24 . 2001-08-17 12:50 21888 -c--a-w- c:\windows\system32\dllcache\mxcard.sys
2010-10-24 20:24 . 2004-08-04 12:00 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2010-10-24 20:24 . 2001-08-17 11:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2010-10-24 20:24 . 2008-04-13 18:39 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-10-24 20:24 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-10-24 20:23 . 2001-08-17 12:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-10-24 20:23 . 2001-08-17 13:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-10-24 20:23 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-10-24 20:23 . 2004-08-04 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-10-24 20:23 . 2001-08-17 13:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-10-24 20:23 . 2001-08-17 12:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-10-24 20:23 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2010-10-24 20:23 . 2001-08-17 12:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-10-24 20:22 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2010-10-24 20:21 . 2001-08-17 12:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-10-24 20:21 . 2004-08-04 12:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-10-24 20:21 . 2001-08-17 11:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-10-24 20:19 . 2001-08-17 11:12 20573 -c--a-w- c:\windows\system32\dllcache\lne100.sys
2010-10-24 20:18 . 2001-08-17 12:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2010-10-24 20:17 . 2001-08-17 13:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2010-10-24 20:16 . 2001-08-17 12:28 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-10-24 20:15 . 2001-08-17 21:36 123392 -c--a-w- c:\windows\system32\dllcache\hpgt21tk.dll
2010-10-24 20:14 . 2001-08-17 11:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-10-24 20:13 . 2001-08-17 11:19 37120 -c--a-w- c:\windows\system32\dllcache\es1370mp.sys
2010-10-24 20:12 . 2001-08-17 13:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2010-10-24 20:11 . 2001-08-17 12:52 7424 -c--a-w- c:\windows\system32\dllcache\ddsmc.sys
2010-10-24 20:10 . 2001-08-17 13:56 111232 -c--a-w- c:\windows\system32\dllcache\cl5465.dll
2010-10-24 20:09 . 2001-08-17 12:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-10-24 20:08 . 2001-08-17 11:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys
2010-10-24 20:07 . 2001-08-17 13:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-10-24 19:01 . 2010-10-24 19:02 -------- d-----w- c:\documents and settings\Maureen\Application Data\QuickScan
2010-10-24 18:49 . 2010-10-24 18:49 -------- d-sh--w- c:\documents and settings\Maureen\IECompatCache
2010-10-24 18:39 . 2010-10-24 18:39 -------- d-sh--w- c:\documents and settings\Maureen\UserData
2010-10-24 16:39 . 2010-10-24 16:39 -------- d-----w- C:\_OTL
2010-10-19 16:19 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 16:18 . 2010-10-19 16:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 16:18 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-14 11:29 . 2010-10-14 11:29 1409 ----a-w- c:\windows\QTFont.for
2010-10-01 18:09 . 2010-10-01 18:09 -------- d-sh--w- c:\documents and settings\Declan\IETldCache
2010-09-29 14:45 . 2010-10-07 15:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-28 22:16 . 2010-09-28 22:16 -------- d-sh--w- c:\documents and settings\Maureen\PrivacIE
2010-09-28 14:05 . 2010-10-14 12:05 -------- d-----w- c:\windows\ie8updates
2010-09-28 13:58 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-09-28 13:58 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-28 13:58 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2010-09-27 18:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-18 11:23 . 2004-09-20 16:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-09-20 16:44 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-09-20 16:44 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-09-20 16:44 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-09-20 16:46 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-09-20 16:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-09-20 16:43 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-09-20 16:42 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-09-20 16:46 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-09-20 16:45 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-09-20 16:45 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-09-20 16:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 19:26 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-09-20 16:42 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-09-20 16:45 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-09-20 16:45 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.
------- Sigcheck -------
[-] 2006-10-18 20:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[-] 2005-01-28 12:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll
[-] 2005-01-28 12:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 12:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SoundMan"="SOUNDMAN.EXE" [2004-07-02 73728]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-07 155648]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-06 2550272]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
c:\documents and settings\David\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2005-3-1 81920]
c:\documents and settings\Maureen\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-5-13 155648]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
Contents of the 'Scheduled Tasks' folder
2010-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973658002-517912522-2237625449-1010Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 09:22]
2010-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3973658002-517912522-2237625449-1010UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-25 09:22]
2010-10-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\Maureen\Application Data\Mozilla\Firefox\Profiles\c08hsf6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 12:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\windows\zHotkey.exe
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-28 12:51:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-28 11:51
ComboFix2.txt 2010-10-24 17:21
Pre-Run: 58,743,087,104 bytes free
Post-Run: 58,740,940,800 bytes free
- - End Of File - - 6D3353CDA33C1E95EF5CA245E718E8C7
#67
Posted 28 October 2010 - 08:51 AM
Ron, With regards the gmer scan and doinjg it one option selected at atime, dowes this mean that I should untick all boxes except the first (sections) first and then add another when that is finished?
Do I need to keep ADS ticked at all time or any other?
Please advise.
Do I need to keep ADS ticked at all time or any other?
Please advise.
#68
Posted 28 October 2010 - 08:54 AM
I think each time you run it you want just one section ticked and that includes ADS.
That last CFScript got rid of the atapi indication. I see there is still one file it doesn't like: mspmsnsv.dll I didn't worry about it before because the MD5 is good but perhaps we should try to find a more modern replacement. See if you have the file on your other PC that is newer than 2006-10-18. If so copy it to:
c:\windows\system32\dllcache\mspmsnsv.dll
c:\windows\system32\mspmsnsv.dll
on the sick PC.
Ron
That last CFScript got rid of the atapi indication. I see there is still one file it doesn't like: mspmsnsv.dll I didn't worry about it before because the MD5 is good but perhaps we should try to find a more modern replacement. See if you have the file on your other PC that is newer than 2006-10-18. If so copy it to:
c:\windows\system32\dllcache\mspmsnsv.dll
c:\windows\system32\mspmsnsv.dll
on the sick PC.
Ron
#69
Posted 28 October 2010 - 08:58 AM
On the good computer do I just do a start-run mspmsnsv.dll to locate the file and then copy it into these two locations on the bad computer?
#70
Posted 28 October 2010 - 09:04 AM
I would just right click on Start, select Explore and navigate to c:\windows\system32\mspmsnsv.dll and look for it there. I wouldn't think it is in use unless you are playing music or a video but if it says you can't copy it then look in c:\windows\system32\dllcache\mspmsnsv.dll
You may need to make system and hidden files visible first:
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Put a checkmark in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
# Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
# Remove the checkmark from the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.
# Now your computer is configured to show all hidden files.
You can also just let it search (including system and hidden files) and it should come up with several.
Ron
You may need to make system and hidden files visible first:
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Put a checkmark in the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
# Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
# Remove the checkmark from the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.
# Now your computer is configured to show all hidden files.
You can also just let it search (including system and hidden files) and it should come up with several.
Ron
#71
Posted 28 October 2010 - 09:12 AM
Hi Ron,
On the good computer that file is older. It was created on 2004-08-04 and modified on 2006-10-18
On the good computer that file is older. It was created on 2004-08-04 and modified on 2006-10-18
#72
Posted 28 October 2010 - 09:24 AM
Apologies Ron,
I have found them.
I have found them.
#73
Posted 28 October 2010 - 09:24 AM
What version of windows media player do you have on both computers. I wonder if we upgrade to the latest version if that would replace the file?
http://www.microsoft...&displaylang=en
http://www.microsoft...&displaylang=en
#74
Posted 28 October 2010 - 10:54 AM
Can you run Combofix again? Curious to see if it likes the new file.
Ron
Ron
#75
Posted 28 October 2010 - 12:08 PM
When running combofix shall I paste in the copied information again or just do a quick scan?
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users