got a trojan and want to start over - format my hardrive!
- Thread starter kona
- Start date
It's actually spelled Trojan, but who cares....
Please do the following again in safe mode.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Please do the following again in safe mode.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box
Code:
Killall::
File::
c:\windows\system32\roboot.exe
c:\program files\060220108152078.bat
c:\program files\060220108094678.bat
Folder:
c:\documents and settings\MSI\Application Data\Systweak
c:\documents and settings\MSI\Application Data\BabylonToolbar
c:\program files\Babylon
c:\documents and settings\MSI\Local Settings\Application Data\12eba47c3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
kona
Member
Do you want me to do this in SAFE MODE?
It's actually spelled Trojan, but who cares....
Please do the following again in safe mode.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box
Code:Killall:: File:: c:\windows\system32\roboot.exe c:\program files\060220108152078.bat c:\program files\060220108094678.bat Folder: c:\documents and settings\MSI\Application Data\Systweak c:\documents and settings\MSI\Application Data\BabylonToolbar c:\program files\Babylon c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
kona
Member
Good morning
I'm at work right now so do not have access to my home pc. When I copied the combofix file - that was all that was in there .........unless I made some kind of an error......I will check the log when I get home tonight after 5pm (PST).
Sorry about the multiple posts - I just thought you would want it like that - I didn't know the 'drill' but I will 'edit' from now on.
If I do find I made a mistake and posted only part of the ComboFix log do you want me to post the complete log in a new Post or just go here and post the part I didn't post (add it to what's here below)?
Gary
ComboFix 11-11-09.02 - MSI 11/10/2011 0:03:54.7.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2761 [GMT -8:00]
Running from: C:\Documents and Settings\MSI\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MSI\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\program files\060220108094678.bat"
"c:\program files\060220108152078.bat"
"c:\windows\system32\roboot.exe"
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\program files\060220108094678.bat
c:\program files\060220108152078.bat
c:\windows\system32\roboot.exe
I disabled Avast and Malware before running combofix but when it started to run I got three or four beeping alarms that said a real time scanner in Avast was working and warned me to shut it down. I just kept xing out of them (three or four of the prompts one after the other) and finally Combofix ran.
The Avast icon with a line through it (disabled) was in the bottom right of my screen the whole time.
My pc seems to boot up fast enough but it still 'hangs' there a bit when I click onto IE to go onto 'the lines.' Is that just Avast cheching/updating?
Are there more 'cleaning-type' tests for me to run to get rid of the 55 or so Trojans I have/had on my pc?
I'm at work right now so do not have access to my home pc. When I copied the combofix file - that was all that was in there .........unless I made some kind of an error......I will check the log when I get home tonight after 5pm (PST).
Sorry about the multiple posts - I just thought you would want it like that - I didn't know the 'drill' but I will 'edit' from now on.
If I do find I made a mistake and posted only part of the ComboFix log do you want me to post the complete log in a new Post or just go here and post the part I didn't post (add it to what's here below)?
Gary
ComboFix 11-11-09.02 - MSI 11/10/2011 0:03:54.7.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2761 [GMT -8:00]
Running from: C:\Documents and Settings\MSI\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\MSI\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\program files\060220108094678.bat"
"c:\program files\060220108152078.bat"
"c:\windows\system32\roboot.exe"
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\program files\060220108094678.bat
c:\program files\060220108152078.bat
c:\windows\system32\roboot.exe
I disabled Avast and Malware before running combofix but when it started to run I got three or four beeping alarms that said a real time scanner in Avast was working and warned me to shut it down. I just kept xing out of them (three or four of the prompts one after the other) and finally Combofix ran.
The Avast icon with a line through it (disabled) was in the bottom right of my screen the whole time.
My pc seems to boot up fast enough but it still 'hangs' there a bit when I click onto IE to go onto 'the lines.' Is that just Avast cheching/updating?
Are there more 'cleaning-type' tests for me to run to get rid of the 55 or so Trojans I have/had on my pc?
Last edited:
I needed you to post the whole combofix log not just the first part.
And for your information, there is an edit button next to your posts so you can edit them instead of making another one when no one has posted after you. I have gone back and merged most of them together. So from now on, start editing them please.
And for your information, there is an edit button next to your posts so you can edit them instead of making another one when no one has posted after you. I have gone back and merged most of them together. So from now on, start editing them please.
kona
Member
Why reinstall windows when you can usually clean up the machine? And I don't think he has the reinstall cd anyway.
Original poster = OP Which means you, the one that started the thread.
kona
Member
Yes - John - it would be better if I could just clean my pc.
A local pc retailer built my computer for me and they're very good. I do remember getting a lot of stuff from them and an "Image" disc....I may have a reinstall cd there somewhere.........but as you say..."why reinstall Windows."
I'll continue here with your "fixing" instructions John......thanks.
OP - ya....thanks....not up on the pc talk as you can tell.
I did however try to create a little humour with my quote "on the lines" rather than just saying "on-line." I tease my adult children with that........they get a kick out of my 'old-timer speak' haha........I'm only 62
A local pc retailer built my computer for me and they're very good. I do remember getting a lot of stuff from them and an "Image" disc....I may have a reinstall cd there somewhere.........but as you say..."why reinstall Windows."
I'll continue here with your "fixing" instructions John......thanks.
OP - ya....thanks....not up on the pc talk as you can tell.
I did however try to create a little humour with my quote "on the lines" rather than just saying "on-line." I tease my adult children with that........they get a kick out of my 'old-timer speak' haha........I'm only 62
kona
Member
Yes - I will look at the Combofix Log after work. I'm looking forward to it. This is time consuming but not as much as restoring a vintage drum (my hobby).......and .....I'm really looking forward to not having a sick pc. Have to keep my kids off it.
HERE IS THE BIGGEST COMBOFIX FILE I RAN - THE ONE I POSTED ABOVE WAS WHAT WAS THERE YESTERDAY AFTER I FINISHED.
ComboFix 11-11-09.02 - MSI 11/09/2011 18:22:38.6.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2646 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))
.
.
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-09 01:42 . 2011-11-09 01:51 -------- d-----w- C:\## aswSnx private storage
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-07 02:14 . 2011-11-07 02:14 -------- d-----w- c:\documents and settings\MSI\Application Data\BabylonToolbar
2011-11-07 02:13 . 2011-11-07 02:13 -------- d-----w- c:\program files\Babylon
2011-11-07 02:12 . 2011-11-07 02:47 -------- d-----w- c:\documents and settings\MSI\Application Data\Systweak
2011-11-07 02:12 . 2011-09-30 23:37 17280 ----a-w- c:\windows\system32\roboot.exe
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-11-06 18:48 . 2011-11-08 02:15 -------- d-sh--w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-06-02 15:15 . 2010-06-02 15:15 436 ----a-w- c:\program files\060220108152078.bat
2010-06-02 15:09 . 2010-06-02 15:09 445 ----a-w- c:\program files\060220108094678.bat
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\MSI\Local Settings\Application Data\12eba47c ----
.
2011-11-06 18:48 . 2011-11-06 18:48 2048 --sha-w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c\@
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPHCP Discovery Service
.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CXTUNE
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-09 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-09 18:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-11-09 18:31:21
ComboFix-quarantined-files.txt 2011-11-10 02:31
ComboFix2.txt 2011-11-08 02:29
ComboFix3.txt 2007-12-13 09:49
.
Pre-Run: 292,400,230,400 bytes free
Post-Run: 292,389,015,552 bytes free
.
- - End Of File - - 10CDDCDC9B99E9ABA821C54F4BC1B56F
HERE IS THE BIGGEST COMBOFIX FILE I RAN - THE ONE I POSTED ABOVE WAS WHAT WAS THERE YESTERDAY AFTER I FINISHED.
ComboFix 11-11-09.02 - MSI 11/09/2011 18:22:38.6.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2646 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-10-10 to 2011-11-10 )))))))))))))))))))))))))))))))
.
.
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-09 01:42 . 2011-11-09 01:51 -------- d-----w- C:\## aswSnx private storage
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-07 02:14 . 2011-11-07 02:14 -------- d-----w- c:\documents and settings\MSI\Application Data\BabylonToolbar
2011-11-07 02:13 . 2011-11-07 02:13 -------- d-----w- c:\program files\Babylon
2011-11-07 02:12 . 2011-11-07 02:47 -------- d-----w- c:\documents and settings\MSI\Application Data\Systweak
2011-11-07 02:12 . 2011-09-30 23:37 17280 ----a-w- c:\windows\system32\roboot.exe
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-11-06 18:48 . 2011-11-08 02:15 -------- d-sh--w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-06-02 15:15 . 2010-06-02 15:15 436 ----a-w- c:\program files\060220108152078.bat
2010-06-02 15:09 . 2010-06-02 15:09 445 ----a-w- c:\program files\060220108094678.bat
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\MSI\Local Settings\Application Data\12eba47c ----
.
2011-11-06 18:48 . 2011-11-06 18:48 2048 --sha-w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c\@
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP
HCP Discovery Service.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CXTUNE
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-09 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-09 18:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1968)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-11-09 18:31:21
ComboFix-quarantined-files.txt 2011-11-10 02:31
ComboFix2.txt 2011-11-08 02:29
ComboFix3.txt 2007-12-13 09:49
.
Pre-Run: 292,400,230,400 bytes free
Post-Run: 292,389,015,552 bytes free
.
- - End Of File - - 10CDDCDC9B99E9ABA821C54F4BC1B56F
Last edited:
Quickpaw
New Member
I just figured since OP has all their data backed up and has an image disc it would be easier than running all these utilities and posting all the logs and waiting for help on here. Youre doing a great job john dont get me wrong, it just seemed a faster, simpler solution that would not only rid the infection from the machine, but may also help it run better since itd be fresh.
But seeing as youre so far in ill leave you to it.
But seeing as youre so far in ill leave you to it.
kona
Member
i just ran combofix in safe mode - here's the log file
ComboFix 11-11-09.02 - MSI 11/10/2011 17:25:05.8.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2653 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MSI\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\program files\060220108094678.bat"
"c:\program files\060220108152078.bat"
"c:\windows\system32\roboot.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\060220108094678.bat
c:\program files\060220108152078.bat
c:\windows\system32\roboot.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-11 01:35 . 2011-11-11 01:35 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-11-11 01:35 . 2011-11-11 01:35 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-11-11 01:35 . 2011-11-11 01:35 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-11-11 01:35 . 2011-11-11 01:35 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-11-11 01:35 . 2011-11-11 01:35 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-07 02:14 . 2011-11-07 02:14 -------- d-----w- c:\documents and settings\MSI\Application Data\BabylonToolbar
2011-11-07 02:13 . 2011-11-07 02:13 -------- d-----w- c:\program files\Babylon
2011-11-07 02:12 . 2011-11-07 02:47 -------- d-----w- c:\documents and settings\MSI\Application Data\Systweak
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-11-06 18:48 . 2011-11-08 02:15 -------- d-sh--w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-11-11 01:34 . 2011-11-11 01:34 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPHCP Discovery Service
.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-10 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 17:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-10 17:42:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 01:41
ComboFix2.txt 2011-11-10 02:31
ComboFix3.txt 2011-11-08 02:29
ComboFix4.txt 2007-12-13 09:49
.
Pre-Run: 292,216,111,104 bytes free
Post-Run: 292,204,433,408 bytes free
.
- - End Of File - - 308A10877615D984B140A3A2EDA26778
ComboFix 11-11-09.02 - MSI 11/10/2011 17:25:05.8.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2653 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MSI\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\program files\060220108094678.bat"
"c:\program files\060220108152078.bat"
"c:\windows\system32\roboot.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\program files\060220108094678.bat
c:\program files\060220108152078.bat
c:\windows\system32\roboot.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-11 01:35 . 2011-11-11 01:35 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-11-11 01:35 . 2011-11-11 01:35 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-11-11 01:35 . 2011-11-11 01:35 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-11-11 01:35 . 2011-11-11 01:35 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-11-11 01:35 . 2011-11-11 01:35 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-07 02:14 . 2011-11-07 02:14 -------- d-----w- c:\documents and settings\MSI\Application Data\BabylonToolbar
2011-11-07 02:13 . 2011-11-07 02:13 -------- d-----w- c:\program files\Babylon
2011-11-07 02:12 . 2011-11-07 02:47 -------- d-----w- c:\documents and settings\MSI\Application Data\Systweak
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-11-06 18:48 . 2011-11-08 02:15 -------- d-sh--w- c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-11-11 01:34 . 2011-11-11 01:34 16384 c:\windows\temp\Perflib_Perfdata_244.dat
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP
HCP Discovery Service.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-10 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 17:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-10 17:42:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 01:41
ComboFix2.txt 2011-11-10 02:31
ComboFix3.txt 2011-11-08 02:29
ComboFix4.txt 2007-12-13 09:49
.
Pre-Run: 292,216,111,104 bytes free
Post-Run: 292,204,433,408 bytes free
.
- - End Of File - - 308A10877615D984B140A3A2EDA26778
Ok, Looks like I omitted a colon, wondering why some things didn't get deleted. Please do the following again in safe mode.
Please do the following again in safe mode.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.[/QUOTE]
Sorry about that.
Please do the following again in safe mode.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box
Code:
Killall::
Folder::
c:\documents and settings\MSI\Application Data\Systweak
c:\documents and settings\MSI\Application Data\BabylonToolbar
c:\program files\Babylon
c:\documents and settings\MSI\Local Settings\Application Data\12eba47c3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.[/QUOTE]
Sorry about that.
kona
Member
Here's the latest - just finished - combofix log
ComboFix 11-11-09.02 - MSI 11/10/2011 19:02:29.9.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2768 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MSI\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\MSI\Application Data\BabylonToolbar
c:\documents and settings\MSI\Application Data\Systweak
c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
c:\documents and settings\MSI\Local Settings\Application Data\12eba47c\@
c:\program files\Babylon
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-11-11 03:12 . 2011-11-11 03:12 16384 c:\windows\temp\Perflib_Perfdata_7fc.dat
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDPHCP Discovery Service
.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-10 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 19:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-10 19:22:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 03:22
ComboFix2.txt 2011-11-11 01:42
ComboFix3.txt 2011-11-10 02:31
ComboFix4.txt 2011-11-08 02:29
ComboFix5.txt 2011-11-11 03:01
.
Pre-Run: 292,155,490,304 bytes free
Post-Run: 292,153,610,240 bytes free
.
- - End Of File - - B7398A98B09D4A4D98935438867BBB29
ComboFix 11-11-09.02 - MSI 11/10/2011 19:02:29.9.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2768 [GMT -8:00]
Running from: c:\documents and settings\MSI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MSI\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\MSI\Application Data\BabylonToolbar
c:\documents and settings\MSI\Application Data\Systweak
c:\documents and settings\MSI\Local Settings\Application Data\12eba47c
c:\documents and settings\MSI\Local Settings\Application Data\12eba47c\@
c:\program files\Babylon
.
.
((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))
.
.
2011-11-09 05:08 . 2011-11-09 05:08 -------- d-----w- c:\program files\ESET
2011-11-08 05:27 . 2011-09-06 21:37 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-08 05:27 . 2011-09-06 21:36 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-08 05:27 . 2011-09-06 21:38 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-08 05:27 . 2011-09-06 21:36 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-08 05:27 . 2011-09-06 21:36 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-08 05:27 . 2011-09-06 21:36 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-08 05:27 . 2011-09-06 21:36 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-08 05:27 . 2011-09-06 21:33 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-08 05:27 . 2011-09-06 21:45 41184 ----a-w- c:\windows\avastSS.scr
2011-11-08 05:27 . 2011-09-06 21:45 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\program files\AVAST Software
2011-11-08 05:26 . 2011-11-08 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-08 03:41 . 2011-11-08 03:41 388096 ----a-w- c:\documents and settings\MSI\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-07 02:54 . 2011-09-01 01:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-07 02:54 . 2011-11-07 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-11-06 20:05 . 2011-11-06 20:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-13 05:58 . 2011-10-13 05:58 -------- d-----w- c:\program files\iPod
2011-10-13 05:58 . 2011-10-13 05:59 -------- d-----w- c:\program files\iTunes
2011-10-13 05:55 . 2011-10-13 05:55 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-08 01:13 . 2004-08-04 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-10-13 14:06 . 2011-05-17 00:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2006-09-16 21:05 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 12:06 . 2010-05-08 17:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 09:37 . 2007-06-18 18:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 18:41 . 2007-10-09 21:03 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-10-01 22:00 . 2006-09-16 22:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-12-26 21:06 . 2007-12-26 21:06 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-08_02.20.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 08:02 . 2009-07-12 08:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2011-11-11 03:12 . 2011-11-11 03:12 16384 c:\windows\temp\Perflib_Perfdata_7fc.dat
+ 2008-08-15 02:13 . 2011-10-10 14:22 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-08-15 02:13 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2011-11-08 05:27 . 2011-11-08 05:27 219648 c:\windows\Installer\ac13cd.msi
+ 2011-11-08 03:41 . 2011-11-08 03:41 1094656 c:\windows\Installer\4b9948.msi
+ 2006-09-16 21:59 . 2011-11-10 00:59 50295240 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 21:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-08-07 135168]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-26 364544]
"nwiz"="nwiz.exe" [2006-08-08 1519616]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-12-26 98304]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MSI^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MSI\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDog303]
2005-10-25 20:56 61440 ----a-w- c:\windows\VM303_STI.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-08-20 21:57 221184 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 18:24 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-25 14:14 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-08-20 21:15 483328 ----a-r- c:\windows\system32\hphmon05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-08-20 21:23 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-10 01:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2002-11-08 10:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-08-11 13:43 7630848 ----a-r- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-08-11 13:43 86016 ----a-r- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-08-08 21:54 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2007-02-04 20:02 79400 ----a-w- c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-06 01:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-11-15 00:21 16270848 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-w- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 17:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-14 01:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-07-08 00:15 348160 ----a-w- c:\program files\WinFast\WFTVFM\WFWIZ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
2003-04-07 10:16 631364 ----a-w- c:\program files\Logitech\iTouch\iTouch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"NVSvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"FSMA"=2 (0x2)
"FSDFWD"=3 (0x3)
"FSAUA"=3 (0x3)
"F-Secure Gatekeeper Handler Starter"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"iPod Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Pml Driver HPZ12"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Photo Story 3 for Windows\\PhotoStory3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP
HCP Discovery Service.
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [7/14/2009 1:06 PM 101120]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 1:09 PM 717296]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/7/2011 9:27 PM 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/7/2011 9:27 PM 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/7/2011 9:27 PM 20568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/6/2011 6:55 PM 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/6/2011 6:54 PM 22216]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 5:44 PM 183560]
S3 cpuz134;cpuz134;\??\c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\MSI\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 HwIOctl;HwIOctl; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/6/2009 5:36 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/6/2009 5:36 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/6/2009 5:36 PM 23680]
S3 SunkFilt6;Alcor Micro Corp - 6360; [x]
S3 SunkFilt62;Alcor Micro Corp - 6362;c:\windows\system32\drivers\sunkfilt62.sys [7/23/2004 1:55 PM 46536]
S3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [11/9/2007 11:24 PM 9446]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-10-19 c:\windows\Tasks\HP DArC Task 2003-08-20 09:23ewlett-Packard-6002003-08-20 21:57Y35J1235G7I.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-08-20 21:57]
.
2011-11-10 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2008-07-19 21:23]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-11-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
2011-10-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1935655697-1482476501-839522115-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
TCP: DhcpNameServer = 192.168.0.1
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-10 19:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,80,80,66,53,57,d0,44,95,13,fe,\
.
[HKEY_USERS\S-1-5-21-1935655697-1482476501-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-10 19:22:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-11 03:22
ComboFix2.txt 2011-11-11 01:42
ComboFix3.txt 2011-11-10 02:31
ComboFix4.txt 2011-11-08 02:29
ComboFix5.txt 2011-11-11 03:01
.
Pre-Run: 292,155,490,304 bytes free
Post-Run: 292,153,610,240 bytes free
.
- - End Of File - - B7398A98B09D4A4D98935438867BBB29
Last edited:
kona
Member
John - can I use my computer in the meantime? Or is it better to wait until all the viruses are removed? I'm checking email - eBay and some Vintage Drum Forums - that's all. But, if it's better not to do that for now please let me know.
AN ASIDE:
Is it normal for IE to take from 26-44 seconds to open up every time I click on it? Or - is my pc still very sick and having some conflict there? Maybe Avast is helping with the opening of IE and protecting my pc.......? Just thoughts as I click on to get to the Forum here.
AN ASIDE:
Is it normal for IE to take from 26-44 seconds to open up every time I click on it? Or - is my pc still very sick and having some conflict there? Maybe Avast is helping with the opening of IE and protecting my pc.......? Just thoughts as I click on to get to the Forum here.
Last edited:
Quickpaw
New Member
This is kinda why I was thinking just format it. Because theres so much back and forth the process is drawn out and there may always be issues with windows now. ex)ie taking a long time to open.
If you have a system image disc and you understand using it will erase everything on your hard drive, I'd say use it.
If you have a system image disc and you understand using it will erase everything on your hard drive, I'd say use it.
kona
Member
Restore.........maybey...ya
When I had the pc built in august of 07 the builder made me a disk labelled
"restore image 08/22/07"
I also have a Drivers & Utilities disk and a floppy disk G72-MNPR009-J10 MCP55 chipset SATA Raid version: 5.10.2600.0654 For Win2k/XP only Disk 1 of 1
Are these some of what I need to proceed with after/when I Format the hard drive?
When I had the pc built in august of 07 the builder made me a disk labelled
"restore image 08/22/07"
I also have a Drivers & Utilities disk and a floppy disk G72-MNPR009-J10 MCP55 chipset SATA Raid version: 5.10.2600.0654 For Win2k/XP only Disk 1 of 1
Are these some of what I need to proceed with after/when I Format the hard drive?