This nasty little thing manifests itself as a pop-up that essentially locks up my computer (Dell Dimension P4, XP-SP3) until I enter a uKash code for 100$. The pop-up displays my ISP's server and my IP address. It showed up for the first time this morning but that does not mean it was not there sitting dormant for a while.
I can't run task manager or anything else for that matter. The only way out is a hard power off.
I can't boot in simple safe mode. The sequence blocks forever when loading MUP.SYS.
I can boot in safe mode with networking but the malware simply pops up and locks me out from doing anything else.
The only thing I was able to do is boot in normal mode, then log on using a visitor account with reduced access rights. In that mode, the desktop simply shows the wall paper (no icons). Nothing else works but I was able to invoke Task Manager with the ctrl-shift-esc shortcut. That allowed me to launch iexplore via file\run in task manager. I found a site with instructions to remove that infection (http://www.malwareexperts.com/royal-canadian-mounted-police-ukash-virus-removal/). I was able to download RKILL and used Run As to run it as an admin (I realise the malware may have captured my admin password). Unfortunately, it seemed to start ok but then started reporting that it could not stop PEV.EXE process because another process was using it. After an hour or so of it spewing out such errors, I just did a hard power off.
Not sure where to go from here since I can't do anything on that machine other than log on into a limited visitor account and launch stuff via task manager.
I can probably live with just wiping the system clean and re-installing everything but I'd like to be sure I do it in a way that ensures there are no traces of the malware left. I am also concerned that the malware has gathered and sent out enough info (e.g. ISP server, my IP address, my admin passwords, etc) to create a breach that would be exploitable after a re-install.
Any suggestions would be greatly appreciated.
One final note, I had cleaned a rootkit infection about a month ago, using TDSSKiller. It was "Virus.Win32.Loader.a" masquerading as acpi.sys. Everything was working fine since but thought I'd mention it just in case.
Hi, wilko. Welcome to LandzDown Forum.
Considering that your computer recently had a rootkit and now is infected with ransomware, it sounds as though either the computer was not completely cleaned or there is a security issue with your computer (i.e., outdated third-party software such as Java or Adobe Reader or Flashplayer).
A clean install is probably the best way to go. However, if you wish to attempt cleaning the computer, it will be necessary to get some breathing space. I suggest you follow the instructions in my tutorial for Windows Defender Offline (http://securitygarden.blogspot.com/2011/06/setting-up-microsoft-standalone-system.html) (formerly called Microsoft Standalone System Sweeper).
Another option to try is Kaspersky Rescue Disk. Download and instructions are available here: Kaspersky Rescue Disk 10 (http://support.kaspersky.com/viruses/rescuedisk).
After running either (or both) of those tools, please follow the instructions in Log Posting Instructions (http://www.landzdown.com/analysis-and-malware-removal/log-posting-instructions/) and we can see if there is anything else that needs fixing.
Hi Corrine. Thanks for the quick reply.
I would definitely like to try and preserve my data before resorting to a clean install. I will look into the Windows Defender Offline link you provided. I'll post back my results.
I already tried the Kaspersky Reescue Disk approach with a USB thumb drive but I could not boot successfully from it. I get a "Boot Error" when I select "Boot from USB" at startup. If I pull the USB drive out and try again, I get a "Selected boot device not available" so I know the computer is actually trying to boot from the USB drive when I get the error. I reformatted the USB drive (FAT32) and created a primary partition with diskpart, and repeated the steps to recreate the rescue disk but the results are the same. Not sure what is going wrong with that. Is it possible this is because I am creating the USB boot drive on a separate Windows 7 PC? I would not think that would matter since I understand the rescue disk is actually booting Linux. The USB drive root contains only the following 3 items:
rescue (folder)
liveusb (file, size 0)
syslinux.cfg (file, size 237 bytes)
Hello,
Ran WDO successfully and was able to clean the Ransomware and several Java related items. I can now log in and use the computer via any one of the 4 accounts on it.
I unsinstalled Java and updated Acrobat Reader to version X.
There is one remaining issue with the account where the infection occured: the desktop is empty (wallpaper only) and I can't right click to bring up the context menu or drag any items from Explorer (when I try, I get the "circle/slash" cursor). Using Explorer however, I can see and access all desktop content. If I create a shortcut on the desktop, it does not appear on the desktop itself but I can see it in the desktop directory via Explorer. All the other accounts do not exhibit that Desktop problem.
I started following the Log Posting Instructions in the problem account but ran into an issue with DDR.SCR: While DDR.SCR was running, my AV software (ZoneAlarm Extreme Security) popped up the following message:
MBR.DAT is trying to install a driver and gain full access to the OS. Allow/Deny?
I clicked Allow since I assumed DDR.SCR was safe but that resulted in an instant reboot of the PC. That reboot was not orderly since the RAID array (mirror) started rebuilding after reboot.
I logged back into the problem account and am able to launch Explorer and navigate around OK but I am concerned I have another infection. Need some guidance re next steps: Should I rerun WDO or just restart DDR.SCR and click Deny if I get the popup again?
Thanks.
Hi, wilko.
First, I'm glad that Windows Defender Offline gave you some breathing room. That is a good start so that, if nothing else, you can back up important files and do a clean install. As to the desktop, we'll see what happens with further analysis.
DDS.SCR does not do anything, no fixes, no system changes. It is merely used to obtain a log file. You mentioned running TDSSKiller previously. Had you backed up the MBR or run aswMBR, which places a copy of MBR.DAT on the desktop?
Let's start with an MBAM scan:
- Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
- Once the update has been installed and the program has loaded, select Quick scan
- When the scan is complete, click OK, then Show Results to view the results.
- Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253)
- Click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Please post contents of that file in your next reply.
** Note **
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Now go aheard with the Log Posting Instructions (http://www.landzdown.com/analysis-and-malware-removal/log-posting-instructions/).
Logs for MBAM, DDS, SecurityCheck below.
Making progress. Thank you so much for your help.
Desktop icons are back. After running MBAM, I got the right-click context menu back for the desktop and checked "Show Desktop Icons".
Something "hijacked" Task Manager: When I try to launch it with Ctrl-Alt-Del or Ctrl-Shft-Esc, I get a dialog that says that TM was disabled by the system administrator.
While running DDS, the MBR.DAT event was flagged again by ZoneAlarm. This time I clicked "Deny" (pop-up occured 3 times), and DDS was able to complete.
Security Check also spit out an error dialog in Windows (not in the CMD window) after showing "Preparing" in the CMD shell:
Autolt Error
Line -1:
Error: Variable must be of type "Object"
SecurityCheck also spit out "file not found" errors after displaying "Antivirus / Firewall Check Done" in the CMD shell. The first error was for file HOSTCOPY.TXT while the others (3 or 4 flashed by real quick) were generic "File Not Found" errs.
==========
MBAM
==========
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.25.07
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Joanne :: OFFICE01 [administrator]
5/25/2012 5:40:21 PM
mbam-log-2012-05-25 (17-40-21).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 285666
Time elapsed: 26 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|pcorvs (Trojan.Downloader) -> Data: rundll32.exe "C:\DOCUME~1\Joanne\LOCALS~1\Temp\pcorvs.dll",SteamGameServer_GetSteamID -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ldmshl (Trojan.Agent.LTGen) -> Data: rundll32.exe "C:\DOCUME~1\Joanne\LOCALS~1\Temp\ldmshl.dll",Vec2TransformNormalArray -> Quarantined and deleted successfully.
Registry Data Items Detected: 5
HKCR\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Bad: (C:\Documents and Settings\Joanne\Local Settings\Application Data\{fab8b101-fd4a-9c27-c1f1-4e79801111f7}\n.) Good: (%SystemRoot%\system32\shdocvw.dll) -> Quarantined and repaired successfully.
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{fab8b101-fd4a-9c27-c1f1-4e79801111f7}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Folders Detected: 1
C:\Documents and Settings\All Users\Application Data\13246404 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Detected: 5
C:\Documents and Settings\Joanne\Local Settings\Temp\pcorvs.dll (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Joanne\Local Settings\Temp\~!#12.tmp (Trojan.Agent.TBM) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joanne\Local Settings\Temp\ldmshl.dll (Trojan.Agent.LTGen) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\13246404\13246404 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13246404\pc13246404ins (Rogue.Multiple) -> Quarantined and deleted successfully.
(end)
==========
DDS
==========
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Joanne at 18:15:50 on 2012-05-25
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {A94E8DC9-07AA-45A7-8AF2-A0375473A5CD} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [<NO NAME>]
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [Netgear UDS Control Center] c:\program files\netgear\usb control center\Control Center.exe -mini
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech desktop messenger.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortcut to iaanotif.exe.lnk - c:\program files\intel\intel matrix storage manager\IAAnotif.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zonealarm security.lnk - c:\program files\zone labs\zonealarm\zlclient.exe
uPolicies-system: DisableTaskMgr = 0
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.ca
Trusted Zone: consortia-inc.com\office
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {A7C49732-4761-4A66-9945-BAF55E98E0E4} - hxxp://veatl.verint.com/cockpit/webclient/JDsAxV.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E13A909-66AE-4DD3-BAB3-374BAEA3D255} : DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-05-25 21:38:31 -------- d-----w- c:\documents and settings\joanne\application data\Malwarebytes
2012-05-25 21:38:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-25 21:38:09 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-25 21:38:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-25 07:37:39 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-01 20:40:26 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-01 15:10:08 -------- d-----w- c:\windows\MATS
2012-05-01 15:10:06 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-05-01 14:13:49 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-01 14:13:49 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-01 14:13:47 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-05-01 14:13:47 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-05-01 14:13:47 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-01 14:13:25 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-05-01 14:13:24 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-05-01 14:13:22 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-05-01 14:13:17 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2012-05-01 14:13:16 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-05-01 14:13:14 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-05-01 14:11:59 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-05-01 14:10:56 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2012-05-01 14:09:59 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2012-05-01 14:08:59 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2012-05-01 14:07:59 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2012-05-01 14:06:58 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2012-05-01 14:05:56 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2012-05-01 14:04:59 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-05-01 14:03:59 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2012-05-01 14:02:48 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2012-05-01 14:01:59 58592 -c--a-w- c:\windows\system32\dllcache\i740nt5.sys
2012-05-01 14:00:57 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2012-05-01 13:59:59 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2012-05-01 13:58:59 49792 -c--a-w- c:\windows\system32\dllcache\cyzport.sys
2012-05-01 13:57:58 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-05-01 13:56:59 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2012-05-01 13:55:59 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2012-05-01 13:54:59 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
.
==================== Find3M ====================
.
2012-05-05 19:16:09 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 19:16:09 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-01 20:42:21 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 18:18:58.84 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
57xx SteelVine
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Community Help
Adobe Digital Editions
Adobe Download Manager
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 9
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.5
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Attribute Changer 6.20
Audacity 1.2.6
Avanquest update
AviSynth 2.5
BlackBerry App World Browser Plugin
BlackBerry Desktop Software 6.1
BlackBerry Device Software Updater
Bonjour
Canon iP4300
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CD-LabelPrint
CDDRV_Installer
Combined Community Codec Pack 2011-07-30
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell MFP 1125
doPDF 7.2 printer
Elements 9 Organizer
Elements STI Installer
ffdshow [rev 2583] [2009-01-05]
FlipShare
Garmin City Navigator Europe NT 2011.10
Garmin City Navigator North America NT 2011.10 Update
Garmin Communicator Plugin with myGarmin Agent
Garmin USB Drivers
Garmin WebUpdater
GoGear VIBE Device Manager
Google Chrome
Google Update Helper
Google Updater
GPL Ghostscript
Haali Media Splitter
HD Tune 2.55
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HxD Hex Editor version 1.7.7.0
IBM OnDemand AFP Web Viewer
Intel(R) PRO Network Connections Drivers
IntelĀ® Matrix Storage Manager
Internet Explorer (Enable DEP)
IrfanView (remove only)
iTunes
Java Auto Updater
KhalInstallWrapper
LAME v3.98.3 for Audacity
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Logitech SetPoint
MakeMKV v1.7.0
Malwarebytes Anti-Malware version 1.61.0.1400
Media Converter for Philips
MedView
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Automated Troubleshooting Services Shim
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Fix it Center
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC100_CRT_SP1_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_CRT_x86
Milano Salon
Milano Salon 2007
Motorola Driver Installation 4.5.0
Motorola Phone Tools
MSN
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
MusicBrainz Picard
MySQL Connector/ODBC 3.51
Neat ADF Scanner 2008 Driver
Neat ADF Scanner Driver
Neat Mobile Scanner (Silver) Driver
Neat Mobile Scanner 2008 Driver
Neat Mobile Scanner Driver
NeatWorks
NeatWorks Core Files
NETGEAR USB Control Center
Next Generation Visualisations
Nokia Connectivity Cable Driver
Nokia Suite
PC Connectivity Solution
PC Tune-Up
PDF Watermark Remover
PDFill PDF Editor with FREE Writer and FREE Tools
PdfMerge
Polar UpLink Tool
Polar WebLink 2.4.11
PressReader
Quick PDF Tools 2.1.5.9
Quicken 2011
QuickTime
Remote Control USB Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Seagate DiscWizard
SeaTools for Windows
Security Advisor
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SendBlaster 2
SigmaTel Audio
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
Silicon Laboratories CP210x VCP Drivers for Windows 2000/XP/2003 Server/Vista
Simple Sudoku 4.2
Simply Accounting by Sage 2009
Skins
SONAR 6 LE
Sonic CinePlayer Decoder Pack
Sothink Video Converter
Sound Organizer
Spelling Dictionaries Support For Adobe Reader 9
SupportSoft Assisted Service
TrayStatus 1.2.0
TreeSize Free V2.5
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC 9.0 Runtime
VLC media player 1.1.11
WD Discovery Software
WebEx
WebFldrs XP
Windows 7 Upgrade Advisor
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
WinHTTrack Website Copier 3.44-1
WinX DVD Ripper 5.5.3
XML Paper Specification Shared Components Pack 1.0
Xvid 1.2.2 final uninstall
ZoneAlarm Antivirus
ZoneAlarm DataLock
ZoneAlarm Extreme Security
ZoneAlarm Firewall
ZoneAlarm Security
.
==== End Of File ===========================
==========
SecurityCheck
==========
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
ZoneAlarm Antivirus
ZoneAlarm Firewall
ZoneAlarm Extreme Security
ZoneAlarm Security
ZoneAlarm DataLock
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Adobe Flash Player 11.2.202.235
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````
Hi, wilko.
Version 7.0 of Adobe Acrobat is extremely outdated and vulnerable.
ZoneAlarm appears to be interfering with running the tools. According to the log there are no running processes, which obviously isn't the case. You will need to very carefully make sure ZoneAlarm doesn't interfere in the next step.
Please follow these instructions carefully.Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
!!! IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html).
Now, please run ComboFix:
- Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
- Double-click ComboFix.exe on your desktop and follow the prompts.
- As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
- When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)
- After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)
- Click "Yes" to continue scanning for malware.
- When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.
Hello Corrine,
ComboFix.txt log pasted below...
Notes:
Acrobat 7 has been removed from this computer a few years back. It seems the uninstall left a few remnants but the program is definitely not installed nor does it appear in the Add/Remove program list.
I disabled ZoneAlarm prior to running ComboFix but was not sure how to disable MBAM. I think the free version just runs on demand, correct?
I had to resort to editing the registry with the following command to restore access to Task Manager in the infected account :
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Question: Don't want to get ahead of myself but once I get the "Joanne" account cleaned up, do I need to repeat the whole process (DDS, SecurityCheck, ComboFix, etc) for each user account on this computer? The reason I ask is because most of the problems seemed to happen only in that specific account. When loging into the other accounts, the problems were less severe or just not apparent (e.g. Task Manager disabled, empty desktop, etc).
==========
ComboFix.txt
==========
ComboFix 12-05-25.03 - Joanne 05/25/2012 22:48:50.1.2 - x86
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Joanne\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Start Menu\Programs\Startup\Shortcut to IAAnotif.exe.lnk
c:\documents and settings\Joanne\Local Settings\Temp\IadHide5.dll
c:\documents and settings\Joanne\Local Settings\Temporary Internet Files\myfile[1].AOI
c:\documents and settings\Joanne\Local Settings\Temporary Internet Files\myfile[2].AOI
c:\documents and settings\Joint\Local Settings\Temporary Internet Files\myfile[1].AOI
c:\documents and settings\Joint\Local Settings\Temporary Internet Files\myfile[2].AOI
C:\install.exe
c:\windows\system32\drivers\1028_DELL_XPS_Dell DM051 .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DM051 .MRK
.
.
((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 )))))))))))))))))))))))))))))))
.
.
2012-05-25 21:38 . 2012-05-25 21:38 -------- d-----w- c:\documents and settings\Joanne\Application Data\Malwarebytes
2012-05-25 21:38 . 2012-05-25 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-25 21:38 . 2012-05-25 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-25 21:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-25 07:37 . 2012-05-25 19:10 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-01 20:40 . 2012-05-01 20:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-01 15:25 . 2012-05-01 15:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Softland
2012-05-01 15:10 . 2012-05-01 15:10 -------- d-----w- c:\windows\MATS
2012-05-01 15:10 . 2012-05-01 15:10 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-05-01 14:13 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-01 14:13 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-01 14:13 . 2008-04-13 23:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-01 14:13 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-05-01 14:13 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-05-01 14:13 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-05-01 14:13 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-05-01 14:13 . 2004-08-04 01:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-05-01 14:13 . 2008-04-13 17:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2012-05-01 14:13 . 2004-08-04 01:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-05-01 14:13 . 2008-04-13 23:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-05-01 14:11 . 2001-08-17 17:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-05-01 14:10 . 2001-08-17 16:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2012-05-01 14:09 . 2001-08-18 02:36 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2012-05-01 14:08 . 2008-04-13 17:36 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2012-05-01 14:07 . 2001-08-18 02:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2012-05-01 14:06 . 2001-08-18 02:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2012-05-01 14:05 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2012-05-01 14:04 . 2001-08-17 17:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-05-01 14:03 . 2001-08-18 02:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2012-05-01 14:02 . 2001-08-17 17:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2012-05-01 14:01 . 2001-08-17 18:56 353184 -c--a-w- c:\windows\system32\dllcache\i740dnt5.dll
2012-05-01 14:00 . 2001-08-17 16:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2012-05-01 13:59 . 2001-08-17 16:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2012-05-01 13:58 . 2001-08-18 02:36 27648 -c--a-w- c:\windows\system32\dllcache\cyzports.dll
2012-05-01 13:57 . 2008-04-13 23:11 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-05-01 13:56 . 2001-08-17 17:12 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2012-05-01 13:55 . 2001-08-17 18:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2012-05-01 13:54 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 19:16 . 2012-04-15 19:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 19:16 . 2011-05-15 15:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 20:42 . 2006-02-28 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-04-11 13:14 . 2008-01-02 16:14 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-01-02 16:14 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2007-02-28 04:16 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2006-02-28 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2006-02-28 12:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2011-10-11 32768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-16 1325936]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-16 136544]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"Netgear UDS Control Center"="c:\program files\NETGEAR\USB Control Center\Control Center.exe" [2011-06-28 21124096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Joint\Start Menu\Programs\Startup\
SpeedPlexer.lnk - c:\program files\SpeedPlexer\SpeedPlexer.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2011-10-10 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-10-10 805392]
ZoneAlarm Security.lnk - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\57xxSteelVine]
2008-01-22 15:28 1761280 ----a-w- c:\program files\Silicon Image\57xx SteelVine\SteelVineManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyGarminAgent]
2010-03-16 13:36 337256 ----a-w- c:\program files\Garmin\MyGarminAgent\myGarminAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-20 02:06 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayStatus]
2010-09-15 19:43 191208 ----a-w- c:\program files\TrayStatus\TrayStatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"57xx SteelVine Manager"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"ACDaemon"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [10/14/2010 6:08 PM 11352]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/6/2010 3:19 AM 169408]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 12:58 PM 1085440]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/10/2011 10:30 PM 3712]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [11/2/2011 9:24 AM 68896]
R2 QuickPDFTCPService0719;Quick PDF Tools Background Service;c:\program files\Quick PDF Tools\QuickPDFTCP0719.exe [4/27/2010 3:07 PM 1899008]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [12/17/2008 8:49 PM 16680]
R3 NetgearUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\NetgearUDSMBus.sys [6/16/2011 3:36 PM 86912]
S0 SI3132B;SI3132B;c:\windows\system32\drivers\SI3132B.sys [1/2/2008 10:19 AM 67200]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 10:07 PM 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/15/2012 3:41 PM 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 10:07 PM 133104]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [11/3/2011 10:44 AM 36744]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 NetgearUDSTcpBus;NetgearUDSTcpBus;c:\windows\system32\drivers\NetgearUDSTcpBus.sys [6/16/2011 3:35 PM 139648]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [3/6/2012 2:56 AM 137600]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [2/28/2006 8:00 AM 14336]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [6/23/2011 3:25 PM 157544]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [7/8/2010 7:09 AM 606056]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [5/16/2011 4:31 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [5/16/2011 4:31 PM 60544]
S4 57xx SteelVine Manager;57xx SteelVine;c:\program files\Silicon Image\57xx SteelVine\SteelVine.exe [1/22/2008 11:28 AM 1310720]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 19:16]
.
2012-05-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-OFFICE01-Joanne.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-05-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-OFFICE01-Willie.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-05-26 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-05-25 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-05-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-20 15:21]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 02:07]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 02:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adp.ca
Trusted Zone: consortia-inc.com\office
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {A7C49732-4761-4A66-9945-BAF55E98E0E4} - hxxp://veatl.verint.com/cockpit/webclient/JDsAxV.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD} - (no file)
HKLM-Run-ISW - (no file)
SafeBoot-99275203.sys
HKLM_ActiveSetup-Neat ADF Scanner 2008 - reg copy HKLM\Software\The Neat Company\Neat ADF Scanner 2008 HKCU\Software\The Neat Company\Neat ADF Scanner 2008
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-25 23:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(860)
c:\windows\system32\relog_ap.dll
.
- - - - - - - > 'explorer.exe'(548)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\fxssvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2012-05-25 23:10:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-26 03:10
.
Pre-Run: 265,801,330,688 bytes free
Post-Run: 272,386,633,728 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8682389F6F80271CE77C5C68E0D754E8
Hi, wilko.
What we're doing will take care of all of the account.
Regarding the two entries in the Trusted Zone, personally, I would not allow any programs in the Trusted Zone. When you add a Web site to the Trusted Sites zone, the security level is set to Low. After all, even well known sites can be the victim of an SQL injection, hidden scripts, and more.
If you elect to remove the entries from the Trusted Zone, please do the following:
- Launch Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
- Click Trusted Sites, and then click Sites.
- Click the site you want to delete, and then click Remove.
It appears that you have System Restore disabled. I suggest that it be enabled. Many problems can be solved by restoring to an earlier point.
Please go
here (http://www.eset.com/onlinescan/) to run an on-line scan from ESET.
- Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
- Turn off the real time scanner of any existing antivirus program while performing the online scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
- Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
- Copy and paste that log as a reply to this topic and also provide a fresh DDS.scr log (just DDS.txt. I don't need the Attach.txt again.
Hello Corrine,
The logs from ESET and DDS are pasted below.
Notes:
I disabled ZoneAlarm before running ESET and DDS.SCR.
ESET ran OK and found nothing but DDS.SCR "caused" a hard reboot a few minutes after launching it. I suspected this had to be related to the ZoneAlarm alert I got before when running DDS.SCR: MBR.DAT is trying to install a driver and gain full access to the OS. Allow/Deny? (see my posts of May 25, 2012, 02:27:10 PM, and 10:48:50 PM).
After the PC rebooted (RAID array was rebuilding so hard reboot like before), I re-enabled ZoneAlarm and ran DDS.SCR again. Sure enough, a few minutes after launching DDS.SCR, ZoneAlarm popped the alert about MBR.DAT. I denied it and DDS.SCR completed OK. The DDS log pasted below is from that second pass, after the hard reboot, with ZA running.
There seems to be someting hiding on my computer that appears intent on messing with my master boot record. It seems to come to life when I run DDS.SCR. I searched the ZA logs to find out where this MBR.DAT file was hiding. I've pasted an excerpt of the ZA log below. They show DDS being launched at 20:40:58, then the MBR.DAT trying to install/modify a driver at 20:43:24, then being blocked around 20:43:32-36 when I answered "Deny" to 3 ZA prompts in a row. DDS then completes in a few minutes.
==========
ZA log showing DDS launch and MBR.DAT events
==========
OSFW,2012/05/28,20:40:58 -4:00 GMT,UNKNOWN(0),DDS, Doesn't Do Squat,C:\Documents and Settings\Joanne\Desktop\dds.scr,PROCESS,SPAWNPROCESS,,C:\WINDOWS\system32\regsvr32.exe,800000de
OSFW,2012/05/28,20:40:58 -4:00 GMT,ALLOWED,DDS, Doesn't Do Squat,C:\Documents and Settings\Joanne\Desktop\dds.scr,PROCESS,SPAWNPROCESS,,C:\WINDOWS\system32\regsvr32.exe,800000de
OSFW,2012/05/28,20:40:58 -4:00 GMT,UNKNOWN(0),DDS, Doesn't Do Squat,C:\Documents and Settings\Joanne\Desktop\dds.scr,PROCESS,SPAWNPROCESS,,C:\WINDOWS\system32\cmd.exe,80000527
OSFW,2012/05/28,20:40:58 -4:00 GMT,ALLOWED,DDS, Doesn't Do Squat,C:\Documents and Settings\Joanne\Desktop\dds.scr,PROCESS,SPAWNPROCESS,,C:\WINDOWS\system32\cmd.exe,80000527
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,LOAD,,mbr
OSFW,2012/05/28,20:43:24 -4:00 GMT,ALLOWED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,LOAD,,mbr
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,CREATE,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,ALLOWED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,CREATE,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,ALLOWED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,ALLOWED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,ALLOWED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,ALLOWED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,DRIVER,MODIFY,,MBR
OSFW,2012/05/28,20:43:24 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,FILE,Unknown Sub Event(2),
OSFW,2012/05/28,20:43:32 -4:00 GMT,BLOCKED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,FILE,Unknown Sub Event(2),
OSFW,2012/05/28,20:43:34 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,FILE,Unknown Sub Event(2),
OSFW,2012/05/28,20:43:34 -4:00 GMT,BLOCKED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,FILE,Unknown Sub Event(2),
OSFW,2012/05/28,20:43:34 -4:00 GMT,UNKNOWN(0),MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,FILE,Unknown Sub Event(2),
OSFW,2012/05/28,20:43:36 -4:00 GMT,BLOCKED,MBR.DAT,C:\Documents and Settings\Joanne\Local Settings\temp\nsxC.tmp\MBR.DAT,FILE,Unknown Sub Event(2),
I Followed the path to the MBR.DAT file but could not find it. The "nsxC.tmp" folder indicated in the path shows up as a recycle bin icon and is empty. The full log also contains previous MBR.DAT events and the path is different each time. The basic path is the same (C:\Documents and Settings\Joanne\Local Settings\temp\????.tmp\MBR.DAT) but the last "????.tmp" directory changes each time I run DDS.SCR so the suspect file seems to move around.
Bottom line is that when ZoneAlarm is running, it catches it and prevents it if I click Deny. If I click Allow, or if ZA is not running, that MBR.DAT event does something and causes a hard reboot. It seems to me that behavior rules out a DDS/ZA interraction since when ZA is not running there is a hard reboot. Note that I redownloaded DDS.SCR from www.bleepingcomputer.com to make sure my copy was not broken.
Any ideas? Not sure if I am back to square one now because of that MBR.DAT thing. Should I be running a tool that checks for Master Boot Record infections? Next steps?
This is the worst infection I've everhad and I am very grateful for your patience and your help.
Thanks
==========
ESET
==========
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=5d54da6e2e423b4fbc95c44236616169
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-05-28 09:06:47
# local_time=2012-05-28 05:06:47 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16776869 100 13 6291990 13048704 0 0
# scanned=207943
# found=0
# cleaned=0
# scan_time=12253
==========
DDS
==========
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Joanne at 20:40:57 on 2012-05-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.2991 [GMT -4:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\NLSSRV32.EXE
C:\Program Files\Quick PDF Tools\QuickPDFTCP0719.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
mRun: [Netgear UDS Control Center] c:\program files\netgear\usb control center\Control Center.exe -mini
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech desktop messenger.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logitech setpoint.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zonealarm security.lnk - c:\program files\zone labs\zonealarm\zlclient.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: adp.ca
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {A7C49732-4761-4A66-9945-BAF55E98E0E4} - hxxp://veatl.verint.com/cockpit/webclient/JDsAxV.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6E13A909-66AE-4DD3-BAB3-374BAEA3D255} : DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2010-10-14 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-10-14 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-9-21 327256]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-12-18 525840]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-10-10 3712]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [2011-11-2 68896]
R2 QuickPDFTCPService0719;Quick PDF Tools Background Service;c:\program files\quick pdf tools\QuickPDFTCP0719.exe [2010-4-27 1899008]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2011-11-3 36744]
R3 NetgearUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\NetgearUDSMBus.sys [2011-6-16 86912]
S0 SI3132B;SI3132B;c:\windows\system32\drivers\SI3132B.sys [2008-1-2 67200]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-19 133104]
S2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2008-12-17 16680]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-15 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-19 133104]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 NetgearUDSTcpBus;NetgearUDSTcpBus;c:\windows\system32\drivers\NetgearUDSTcpBus.sys [2011-6-16 139648]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-3-6 137600]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2006-2-28 14336]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2011-6-23 157544]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [2010-7-8 606056]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2011-5-16 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2011-5-16 60544]
S4 57xx SteelVine Manager;57xx SteelVine;c:\program files\silicon image\57xx steelvine\SteelVine.exe [2008-1-22 1310720]
.
=============== Created Last 30 ================
.
2012-05-28 17:15:11 -------- d-----w- c:\program files\ESET
2012-05-26 02:47:30 -------- d-sha-r- C:\cmdcons
2012-05-26 02:44:41 98816 ----a-w- c:\windows\sed.exe
2012-05-26 02:44:41 518144 ----a-w- c:\windows\SWREG.exe
2012-05-26 02:44:41 256000 ----a-w- c:\windows\PEV.exe
2012-05-26 02:44:41 208896 ----a-w- c:\windows\MBR.exe
2012-05-25 21:38:31 -------- d-----w- c:\documents and settings\joanne\application data\Malwarebytes
2012-05-25 21:38:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-25 21:38:09 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-25 21:38:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-25 07:37:39 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-01 20:40:26 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-01 15:10:08 -------- d-----w- c:\windows\MATS
2012-05-01 15:10:06 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-05-01 14:13:49 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-01 14:13:49 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-01 14:13:47 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-05-01 14:13:47 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-05-01 14:13:47 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-01 14:13:25 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-05-01 14:13:24 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-05-01 14:13:22 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-05-01 14:13:17 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2012-05-01 14:13:16 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-05-01 14:13:14 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-05-01 14:11:59 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-05-01 14:10:56 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2012-05-01 14:09:59 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2012-05-01 14:08:59 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2012-05-01 14:07:59 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2012-05-01 14:06:58 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2012-05-01 14:05:56 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2012-05-01 14:04:59 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-05-01 14:03:59 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2012-05-01 14:02:48 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2012-05-01 14:01:59 58592 -c--a-w- c:\windows\system32\dllcache\i740nt5.sys
2012-05-01 14:00:57 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2012-05-01 13:59:59 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2012-05-01 13:58:59 49792 -c--a-w- c:\windows\system32\dllcache\cyzport.sys
2012-05-01 13:57:58 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-05-01 13:56:59 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2012-05-01 13:55:59 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2012-05-01 13:54:59 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
.
==================== Find3M ====================
.
2012-05-05 19:16:09 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 19:16:09 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-01 20:42:21 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-04-11 13:14:41 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35:51 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 20:43:37.50 ===============
Hi, wilko.
Please download
aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) and save it to your Desktop.
- Double click aswMBR.exe to run it.
- Click Yes to the prompt to download Avast! virus definitions.
(Please be patient whilst the virus definitions download)
- With the AVscan set to Quick Scan, click the Scan button.
(Please be patient whilst your computer is scanned.)
- After a while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
- Click OK > Exit.
- Note: Do not attempt to fix anything at this stage!
- Two files will be created, aswMBR.txt & a file named MBR.dat.
- MBR.dat is a backup of the MBR(master boot record), do not delete it..
- I strongly suggest you keep a copy of this backup stored on an external device.
- Copy & Paste the contents of aswMBR.txt into your next reply.
Do I shut down ZoneAlarm before running aswMBR or just leave it running?
You should be able to leave it running. That said, since ZA doesn't like DDS, it may not care for aswMBR either. If ZA complains, close it.
Hello Corrine,
The log from aswMBR is pasted below.
Notes:
I saved the MBR.DAT file to a USB key as suggested.
I disabled ZoneAlarm before running aswMBR
==========
aswMBR.txt
==========
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-29 15:48:11
-----------------------------
15:48:11.171 OS Version: Windows 5.1.2600 Service Pack 3
15:48:11.171 Number of processors: 2 586 0x403
15:48:11.171 ComputerName: OFFICE01 UserName: Joanne
15:48:12.328 Initialize success
15:48:19.609 AVAST engine defs: 12052800
15:48:31.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:48:31.812 Disk 0 Vendor: Intel___ 1.0. Size: 476937MB BusType: 8
15:48:31.828 Disk 0 MBR read successfully
15:48:31.828 Disk 0 MBR scan
15:48:31.843 Disk 0 Windows XP default MBR code
15:48:31.875 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
15:48:31.890 Disk 0 scanning sectors +976768065
15:48:32.015 Disk 0 scanning C:\WINDOWS\system32\drivers
15:49:07.593 Service scanning
15:49:31.953 Modules scanning
15:49:52.781 Disk 0 trace - called modules:
15:49:52.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
15:49:52.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2b7a90]
15:49:52.828 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8b2be028]
15:49:54.843 AVAST engine scan C:\WINDOWS
15:50:51.453 AVAST engine scan C:\WINDOWS\system32
15:58:36.656 AVAST engine scan C:\WINDOWS\system32\drivers
15:59:54.062 AVAST engine scan C:\Documents and Settings\Joanne
16:34:34.546 AVAST engine scan C:\Documents and Settings\All Users
18:02:18.390 Scan finished successfully
18:51:25.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joanne\Desktop\MBR.dat"
18:51:25.109 The log file has been saved successfully to "C:\Documents and Settings\Joanne\Desktop\aswMBR.txt"
Thank you, wilko. Looks good. Neither ComboFix nor aswMBR show any signs of an issue with the MBR. In addition, the ESET online scan showed clean!
Let's do some minor cleanup with ComboFix.
Custom CFScript
Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:
Folder::
c:\program files\adobe\acrobat 7.0
DDS::
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
IE: Convert link target to Adobe PDF -
IE: Convert link target to existing PDF -
IE: Convert selected links to Adobe PDF -
IE: Convert selected links to existing PDF -
IE: Convert selection to Adobe PDF -
IE: Convert selection to existing PDF -
IE: Convert to Adobe PDF -
IE: Convert to existing PDF -
- Save this as CFScript.txt and place it on your desktop.
- Close any open browsers.
- Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Hello Corrine,
ComboFix.txt log pasted below...
Notes:
Note that there is still 1 Trusted Site (adp.ca) which has to stay that way. It is a payroll site that needs to be "trusted" for its apps to work properly.
==========
ComboFix.txt
==========
ComboFix 12-05-29.01 - Joanne 05/29/2012 21:03:29.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3710.3115 [GMT -4:00]
Running from: c:\documents and settings\Joanne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joanne\Desktop\CFScript.txt
FW: ZoneAlarm Extreme Security Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Joanne\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Joanne\Local Settings\Temp\IadHide5.dll
c:\program files\adobe\acrobat 7.0
c:\program files\adobe\acrobat 7.0\Resource\Cmap\AdobeFnt09.lst
c:\program files\adobe\acrobat 7.0\Resource\Font\AdobeFnt09.lst
c:\program files\adobe\acrobat 7.0\Resource\Font\Pfm\AdobeFnt09.lst
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))
.
.
2012-05-28 17:15 . 2012-05-28 17:15 -------- d-----w- c:\program files\ESET
2012-05-25 21:38 . 2012-05-25 21:38 -------- d-----w- c:\documents and settings\Joanne\Application Data\Malwarebytes
2012-05-25 21:38 . 2012-05-25 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-05-25 21:38 . 2012-05-25 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-25 21:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-25 07:37 . 2012-05-25 19:10 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-01 20:40 . 2012-05-01 20:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-01 15:25 . 2012-05-01 15:25 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Softland
2012-05-01 15:10 . 2012-05-01 15:10 -------- d-----w- c:\windows\MATS
2012-05-01 15:10 . 2012-05-01 15:10 -------- d-----w- c:\program files\Microsoft Fix it Center
2012-05-01 14:13 . 2008-04-13 23:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-05-01 14:13 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-05-01 14:13 . 2008-04-13 23:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-05-01 14:13 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-05-01 14:13 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-05-01 14:13 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2012-05-01 14:13 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2012-05-01 14:13 . 2004-08-04 01:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2012-05-01 14:13 . 2008-04-13 17:46 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2012-05-01 14:13 . 2004-08-04 01:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2012-05-01 14:13 . 2008-04-13 23:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2012-05-01 14:11 . 2001-08-17 17:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2012-05-01 14:10 . 2001-08-17 16:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2012-05-01 14:09 . 2001-08-18 02:36 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2012-05-01 14:08 . 2008-04-13 17:36 6912 -c--a-w- c:\windows\system32\dllcache\smbclass.sys
2012-05-01 14:07 . 2001-08-18 02:36 62496 -c--a-w- c:\windows\system32\dllcache\s3mtrio.dll
2012-05-01 14:06 . 2001-08-18 02:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2012-05-01 14:05 . 2001-08-17 16:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2012-05-01 14:04 . 2001-08-17 17:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2012-05-01 14:03 . 2001-08-18 02:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2012-05-01 14:02 . 2001-08-17 17:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2012-05-01 14:01 . 2001-08-17 18:56 353184 -c--a-w- c:\windows\system32\dllcache\i740dnt5.dll
2012-05-01 14:00 . 2001-08-17 16:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2012-05-01 13:59 . 2001-08-17 16:12 50719 -c--a-w- c:\windows\system32\dllcache\e1000nt5.sys
2012-05-01 13:58 . 2001-08-18 02:36 27648 -c--a-w- c:\windows\system32\dllcache\cyzports.dll
2012-05-01 13:57 . 2008-04-13 23:11 121856 -c--a-w- c:\windows\system32\dllcache\camext30.dll
2012-05-01 13:56 . 2001-08-17 17:12 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2012-05-01 13:55 . 2001-08-17 18:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2012-05-01 13:54 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 19:16 . 2012-04-15 19:41 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 19:16 . 2011-05-15 15:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-01 20:42 . 2006-02-28 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-04-11 13:14 . 2008-01-02 16:14 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2008-01-02 16:14 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2007-02-28 04:16 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-01 11:01 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2011-10-11 32768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-16 1325936]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-16 136544]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-09-19 87336]
"Netgear UDS Control Center"="c:\program files\NETGEAR\USB Control Center\Control Center.exe" [2011-06-28 21124096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-19 73360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Joint\Start Menu\Programs\Startup\
SpeedPlexer.lnk - c:\program files\SpeedPlexer\SpeedPlexer.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2011-10-10 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-10-10 805392]
ZoneAlarm Security.lnk - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\57xxSteelVine]
2008-01-22 15:28 1761280 ----a-w- c:\program files\Silicon Image\57xx SteelVine\SteelVineManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 09:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyGarminAgent]
2010-03-16 13:36 337256 ----a-w- c:\program files\Garmin\MyGarminAgent\myGarminAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-10-20 02:06 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayStatus]
2010-09-15 19:43 191208 ----a-w- c:\program files\TrayStatus\TrayStatus.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"57xx SteelVine Manager"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor5.0"=2 (0x2)
"ACDaemon"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NETGEAR\\USB Control Center\\Control Center.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7423:UDP"= 7423:UDP:NETGEAR USB Control Center UDP Port
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [10/14/2010 6:08 PM 11352]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/6/2010 3:19 AM 169408]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 12:58 PM 1085440]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 10:44 AM 27016]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 10:44 AM 497280]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [10/10/2011 10:30 PM 3712]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [11/2/2011 9:24 AM 68896]
R2 QuickPDFTCPService0719;Quick PDF Tools Background Service;c:\program files\Quick PDF Tools\QuickPDFTCP0719.exe [4/27/2010 3:07 PM 1899008]
R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456]
R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [12/17/2008 8:49 PM 16680]
R3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [11/3/2011 10:44 AM 36744]
R3 NetgearUDSMBus;UDS Master Bus of Kernel USB Software Bus by TCP;c:\windows\system32\drivers\NetgearUDSMBus.sys [6/16/2011 3:36 PM 86912]
R3 NetgearUDSTcpBus;NetgearUDSTcpBus;c:\windows\system32\drivers\NetgearUDSTcpBus.sys [6/16/2011 3:35 PM 139648]
S0 SI3132B;SI3132B;c:\windows\system32\drivers\SI3132B.sys [1/2/2008 10:19 AM 67200]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 10:07 PM 133104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/15/2012 3:41 PM 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/19/2009 10:07 PM 133104]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 10:09 PM 267568]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [3/6/2012 2:56 AM 137600]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [2/28/2006 8:00 AM 14336]
S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;c:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [6/23/2011 3:25 PM 157544]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192su.sys [7/8/2010 7:09 AM 606056]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [5/16/2011 4:31 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [5/16/2011 4:31 PM 60544]
S4 57xx SteelVine Manager;57xx SteelVine;c:\program files\Silicon Image\57xx SteelVine\SteelVine.exe [1/22/2008 11:28 AM 1310720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 19:16]
.
2012-05-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-OFFICE01-Joanne.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-05-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-OFFICE01-Willie.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-07-29 06:25]
.
2012-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-05-30 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-05-29 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 02:09]
.
2012-05-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-20 15:21]
.
2012-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 02:07]
.
2012-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 02:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: adp.ca
TCP: DhcpNameServer = 192.168.1.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.0.1.0/GarminAxControl_32.CAB
DPF: {A7C49732-4761-4A66-9945-BAF55E98E0E4} - hxxp://veatl.verint.com/cockpit/webclient/JDsAxV.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-29 21:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\relog_ap.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
.
- - - - - - - > 'explorer.exe'(388)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\CheckPoint\ZAForceField\AK\icsak.dll
c:\docume~1\Joanne\LOCALS~1\Temp\IadHide5.dll
c:\progra~1\CheckPoint\ZoneAlarm\MailFrontier\mlfhook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(812)
c:\program files\CheckPoint\ZAForceField\AK\akconsole.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\progra~1\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
.
**************************************************************************
.
Completion time: 2012-05-29 21:32:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-30 01:32
ComboFix2.txt 2012-05-26 03:10
.
Pre-Run: 272,330,825,728 bytes free
Post-Run: 272,357,339,136 bytes free
.
- - End Of File - - 97B7CF92287130B1CADBEEEE78CC0F82
Hi, wilko.
QuoteNote that there is still 1 Trusted Site (adp.ca) which has to stay that way. It is a payroll site that needs to be "trusted" for its apps to work properly.
That was why I left the decision to you. :)
Please do the following to implement cleanup procedures and also to reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0¤cy_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).
Having a firewall, anti-virus and anti-malware software are not enough. You also need to stay current with security updates. If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now. For additional information, see my blog post Understanding Microsoft Updates (http://securitygarden.blogspot.com/2007/12/understanding-microsoft-updates.html)
To check if your system is missing security updates or has insecure applications, install Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) or, alternatively, visit http://secunia.com/software_inspector/ . The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
- Detects insecure versions of applications installed
- Verifies that all Microsoft patches are applied
- Assists you in updating your system and applications
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.brightfort.com/sbdownload_setup.html
My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html. If you have questions about WinPatrol, we have a forum here at LzD: WinPatrol Help & Information (http://www.landzdown.com/winpatrol-help-information/).
Please let me know if you have any questions.
Hello Corrine,
First, thank you for your help. I will definitely make a ComboFix contribution. Does LandzDown Forum also accept contributions? If so, please let me know how.
Given the fact that ZA has let through 2 major infections in the last few months, I will be replacing it with Norton Internet Security 2012 on my wife's computer. I chose Norton after reviewing trade mag test results and Passmark benchmark re protection performance and CPU overhead. My wife needs something as hands-off as possible otherwise I get a call every time a pop-up appears...
Do you also recommend I install SpywareBlaster on top of Norton? Does it do more/better than Norton? How resource hungry is it (the PC is a 3.2GHz P4 so I don't want to slow it down too much)?
I am still puzzled by the hard reboot event when I run DDS.SCR on the XP_PRO-SP3 machines. I tried running it on a laptop with the same XP version (same install disk) as Joanne's desktop. I get the same reboot behavior when I disable ZA or click "allow" when ZA prompts me about MBR.DAT trying to take control of the OS. As you suggested, that does smell like some kind of interraction btwn DDS and ZA. Perhaps ZA has some processes running in the background even when disabled that interract with the DDS scan and cause the reboot. On the other hand, DDS is supposed to be a scan-only tool so how does MBR.DAT pop up and try to install drivers??? Have you heard about or seen this type of interraction? I'm tempted to uninstall ZA completely on the laptop and try DDS again to see if the hard reboot still happens. Not that I have time to kill but my engineering background makes this an itch I can't help but scratch ;o)
I took a look at WinPatrol and it looks more like a set of utilities rather than an AV/AM. Are you suggesting I install it in addition to my selected AV/AM solution? There also seem to be issues with XP_PRO.
Thanks again Corrine for your help and patience.
Hi, wilko.
You are most welcome! I'm sure the developer of ComboFix will appreciate a donation. As to LandzDown Forum, no we don't accept contributions. Instead, we suggest that people donate to the developers of the free tools that we use, as you indicated you are, or treat themselves to a licensed version of Malwarebytes, WinPatrol, or similar security tool.
Checkpoint hasn't been in the antivirus business for very long. To quote a comment that a fellow MVP made in a topic at another site today:
QuoteZone Alarm - we see too many issues with this, and they're not always real easy to diagnose.
Since aswMBR didn't find any issues, I think it was Zone Alarm being persnickety and causing problems with DDS. If you have problems removing Zone Alarm, this Zone Alarm KB topic may be useful: I cannot find or run the ZoneAlarm uninstall program (XP/2000) (http://server.iad.liveperson.net/hc/s-28464961/cmd/kbresource/kb-8829832496545853883/view_question!PAGETYPE?sf=101133&documentid=344896&action=view). Another option is OPSWAT AppRemover (http://www.appremover.com/supported-applications).
With regard to SpyWareBlaster, it merely runs in the background. Although from 2004, this tutorial at Bleeping Computer illustrates installation and updating of the program: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware (http://www.bleepingcomputer.com/tutorials/use-spywareblaster-to-protect-your-computer/). I've used SpywareBlaster on every computer I've had since Windows 95! You will need to check periodically for updates -- generally every month or so.
Yes, you are correct. WinPatrol is more of a system monitor, which is my favorite aspect of the program. Even on Windows Vista and Windows 7 with UAC, that doesn't tell me if a program adds itself to start-up, even though I did a custom install and unchecked that option. WinPatrol alerts me and provides the option of blocking or allowing it. It has a HOSTS file monitor, can be used to remove browser hijacks, control ActiveX and more.