Jump to content
Sign in to follow this  
isiswisdom

Lost Desktop - Utility Rundll32.exe

Recommended Posts

Greetings,

I lost my desktop it is now red with ony two icons on the desktop. The startup box comes up and says the configuraton has changed. When I check the start up two rundll32.exe come up associated with some strange lettering. I can't even access the system restore and my computer is slow and memory error keeps coming up here is my hijack this log. Windows xp and im using the latest panda antivirus 2011.

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:34:19 AM, on 3/26/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\PsCtrls.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\PsImSvc.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\SRVLOAD.EXE

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\Ftl.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\WINDOWS\Fmacac.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\Fs4.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\OfferBox\OfferBox.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PavBckPT.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Local Settings\Temporary Internet Files\Content.IE5\ODIVK9MN\HijackThis[1].exe

C:\Program Files\Panda Security\Panda Internet Security 2011\psimreal.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.3\dealioToolbarIE.dll

R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll

O2 - BHO: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.3\dealioToolbarIE.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: OfferBox - {FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C} - C:\Program Files\OfferBox\OfferBoxBHO.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll

O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\tbuTor.dll

O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll

O3 - Toolbar: Dealio Toolbar - {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - C:\Program Files\Dealio Toolbar\IE\4.3\dealioToolbarIE.dll

O4 - HKLM\..\Run: [searchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Security\Panda Internet Security 2011\Inicio.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Afuha] rundll32.exe "C:\WINDOWS\azekudatugapojuy.dll",Startup

O4 - HKLM\..\RunOnce: [1d63ae] wscript /B C:\WINDOWS\TEMP\1d63ae.vbs

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [OUU6KC5WPX] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\Fs4.exe

O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')

O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257970715500

O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2011\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Internet Security 2011\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2011\PskSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe

 

--

End of file - 14586 bytes

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Are you able to connect to the Internet using the infected machine? Are you using a different machine to post on the forums?

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Are you able to connect to the Internet using the infected machine? Are you using a different machine to post on the forums?

 

I am but i have a feeling not for long. But yes it's the same computer.

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

I am but i have a feeling not for long. But yes it's the same computer

Thanks for letting me know.

 

Please do the following:

 

  • Please scan the following files

     

     

     

    • On the page you'll find a "Browse" button.
    • Click on the Browse button.
    • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

     

    C:\WINDOWS\Fmacac.exe

     

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.
    • Please repeat this procedure for the following files:

     

    C:\WINDOWS\TEMP\1d63ae.vbs

  • Please perform the following scan

     

     

    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.

  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

 

Please post the Virus Total scan links, the DDS logs and the GMER log in your next reply.

 

If you encounter any problems with the scans come back and let me know.

 

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Thanks for letting me know.

 

Please do the following:

 

  • Please scan the following files

     

     

     

    • On the page you'll find a "Browse" button.
    • Click on the Browse button.
    • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

     

    C:\WINDOWS\Fmacac.exe

     

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.
    • Please repeat this procedure for the following files:

     

    C:\WINDOWS\TEMP\1d63ae.vbs

  • Please perform the following scan

     

     

    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.

  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

 

Please post the Virus Total scan links, the DDS logs and the GMER log in your next reply.

 

If you encounter any problems with the scans come back and let me know.

 

 

 

Ok here is the links reports from virus total

 

C:\WINDOWS\Fmacac.exe

http://www.virustotal.com/file-scan/report.html?id=22a195fc8f24c459c8b2462ca6b264343df2468e380065b3a4b7cfb60b2426c3-1301167442

 

C:\WINDOWS\TEMP\1d63ae.vbs

http://www.virustotal.com/file-scan/report.html?id=c84a6ee90e011a060a1609a2d5fbb03c09ed3ac3ea5fa114947cc931c0523d70-1301167270

 

Here are the reports for DDS

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Compaq_Owner at 15:29:27.29 on Sat 03/26/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.84 [GMT -4:00]

.

AV: Panda Internet Security 2011 *Enabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

FW: Panda Personal Firewall 2011 *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe

svchost.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k Akamai

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Application Updater\ApplicationUpdater.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\PsCtrls.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\PsImSvc.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PskSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE

C:\Program Files\Panda Security\Panda Internet Security 2011\SRVLOAD.EXE

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe

C:\WINDOWS\Fmacac.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\OfferBox\OfferBox.exe

C:\Program Files\Panda Security\Panda Internet Security 2011\PavBckPT.exe

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\Ftl.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\OfferBox\OfferBox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\Fs4.exe

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Local Settings\Temporary Internet Files\Content.IE5\E3QPC5PV\dds[1].scr

C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\Fs4.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.att.net

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uDefault_Page_URL = hxxp://www.aol.com/?ncid=customie8

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uInternet Settings,ProxyOverride = *.local

mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uURLSearchHooks: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.3\dealioToolbarIE.dll

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.3\dealioToolbarIE.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: OfferBox: {fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} - c:\program files\offerbox\OfferBoxBHO.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: {D0943516-5076-4020-A3B5-AEFAF26AB263} - No File

TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\ie\4.3\dealioToolbarIE.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [OUU6KC5WPX] c:\docume~1\compaq~1.000\locals~1\temp\Fs4.exe

mRun: [<NO NAME>]

mRun: [searchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"

mRun: [APVXDWIN] "c:\program files\panda security\panda internet security 2011\APVXDWIN.EXE" /s

mRun: [sCANINICIO] "c:\program files\panda security\panda internet security 2011\Inicio.exe"

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Afuha] rundll32.exe "c:\windows\azekudatugapojuy.dll",Startup

mRunOnce: [1d63ae] wscript /B c:\windows\temp\1d63ae.vbs

uPolicies-system: DisableTaskMgr = 1 (0x1)

mPolicies-system: DisableTaskMgr = 1 (0x1)

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\icq7.2\ICQ.exe

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1257970715500

DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avldr - avldr.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\compaq~1.000\applic~1\mozilla\firefox\profiles\9b3jo2ok.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

FF - component: c:\documents and settings\compaq_owner.atlantis.000\application data\mozilla\firefox\profiles\9b3jo2ok.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll

FF - component: c:\program files\common files\spigot\wtxpcom\components\WidgiToolbarFF.dll

FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\Shim.dll

FF - plugin: c:\documents and settings\compaq_owner.atlantis.000\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\compaq_owner.atlantis.000\application data\kalydo\kalydoplayer\npkalydo.dll

FF - plugin: c:\documents and settings\compaq_owner.atlantis.000\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\compaq_owner.atlantis.000\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\compaq_owner.atlantis.000\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\compaq_owner.atlantis.000\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2011-3-7 76296]

R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [2011-3-7 59080]

R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [2011-3-7 13880]

.

=============== File Associations ===============

.

JSEFile=c:\progra~1\pandas~2\pandai~2\PAVSCRIP.EXE "%1" %*

VBEFile=c:\progra~1\pandas~2\pandai~2\PAVSCRIP.EXE "%1" %*

VBSFile=c:\progra~1\pandas~2\pandai~2\PAVSCRIP.EXE "%1" %*

.

=============== Created Last 30 ================

.

2011-03-26 07:27:46 162304 ---ha-w- c:\windows\Fmacac.exe

2011-03-26 07:23:14 162304 ---ha-w- c:\windows\Fmacab.exe

2011-03-26 07:07:49 467968 ---ha-w- c:\docume~1\alluse~1\applic~1\19062580.exe

2011-03-26 07:00:00 0 ----a-w- c:\windows\Fbudacikofe.bin

2011-03-26 06:59:37 -------- d--h--w- c:\docume~1\compaq~1.000\locals~1\applic~1\{1B3EA380-DCBC-4216-B27A-6BC260E0A715}

2011-03-26 06:58:29 -------- d--h--w- c:\docume~1\compaq~1.000\applic~1\OfferBox

2011-03-26 06:58:15 -------- d-----w- c:\program files\OfferBox

2011-03-26 06:57:52 545792 ---ha-w- c:\docume~1\alluse~1\applic~1\YmEwGJXgpidLPI.exe

2011-03-26 06:57:34 149504 --sha-r- c:\windows\system32\smbinstz.dll

2011-03-26 06:57:34 149504 --sha-r- c:\windows\system32\c_10000F.dll

2011-03-26 06:57:18 162304 ----a-w- c:\windows\Fmacaa.exe

2011-03-24 04:43:50 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-03-24 04:43:48 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-03-24 04:43:48 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-03-24 04:43:48 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-03-24 04:43:48 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-03-24 04:43:48 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-03-24 04:43:48 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-03-24 04:43:48 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-03-11 13:09:07 -------- d--h--w- c:\docume~1\alluse~1\applic~1\RegSERVO

2011-03-10 08:07:40 -------- dc----w- C:\4ff3ce1b35fd14d537958342742f2058

2011-03-09 05:35:54 401510 ----a-w- c:\program files\mozilla firefox\extensions\xpcom_core.dll

2011-03-07 15:01:49 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys

2011-03-07 15:00:07 -------- d--h--w- c:\docume~1\compaq~1.000\locals~1\applic~1\Panda Security

2011-03-07 14:55:46 282696 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT

2011-03-07 14:55:41 53256 ----a-w- c:\windows\system32\drivers\dsaflt.sys

2011-03-07 14:55:41 46856 ----a-w- c:\windows\system32\drivers\wnmflt.sys

2011-03-07 14:55:41 193800 ----a-w- c:\windows\system32\drivers\idsflt.sys

2011-03-07 14:55:30 76296 ----a-w- c:\windows\system32\drivers\APPFLT.SYS

2011-03-07 14:55:30 22024 ----a-w- c:\windows\system32\drivers\fnetmon.sys

2011-03-07 14:55:30 159112 ----a-w- c:\windows\system32\drivers\NETFLTDI.SYS

2011-03-07 14:55:26 26696 ----a-w- c:\windows\system32\drivers\pavboot.sys

2011-03-07 14:55:00 54832 ----a-w- c:\windows\system32\pavcpl.cpl

2011-03-07 14:54:42 446464 ----a-w- c:\windows\system32\HHActiveX.dll

2011-03-07 14:54:30 193792 ----a-w- c:\windows\system32\TpUtil.dll

2011-03-07 14:54:29 87296 ----a-w- c:\windows\system32\PavLspHook.dll

2011-03-07 14:54:29 55552 ----a-w- c:\windows\system32\pavipc.dll

2011-03-07 14:54:29 107568 ----a-w- c:\windows\system32\SYSTOOLS.DLL

2011-03-07 14:54:27 518400 ----a-w- c:\windows\system32\PavSHook.dll

2011-03-07 14:54:21 199688 ----a-w- c:\windows\system32\drivers\neti1642.sys

2011-03-07 14:54:15 55552 ----a-w- c:\windows\system32\avldr.dll

2011-03-07 14:54:14 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys

2011-03-07 14:54:14 -------- d-----w- c:\windows\system32\PAV

2011-03-07 14:54:12 -------- d--h--w- c:\docume~1\compaq~1.000\applic~1\Panda Security

2011-03-07 14:54:12 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Panda Security

2011-03-07 14:53:16 37896 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys

2011-03-07 14:53:15 163336 ----a-w- c:\windows\system32\drivers\PavProc.sys

2011-03-07 14:53:15 -------- d-----w- c:\program files\common files\Panda Security

2011-03-05 19:59:46 -------- d--h--w- c:\docume~1\compaq~1.000\applic~1\Unity

2011-03-05 19:36:07 -------- d--h--w- c:\docume~1\compaq~1.000\locals~1\applic~1\Unity

2011-03-04 04:28:53 -------- d--h--w- c:\docume~1\compaq~1.000\applic~1\Search Settings

2011-03-04 04:28:47 -------- d-----w- c:\program files\Application Updater

2011-03-04 04:28:46 -------- d-----w- c:\program files\Dealio Toolbar

2011-03-04 04:28:46 -------- d-----w- c:\program files\common files\Spigot

2011-02-28 17:20:57 -------- d-----w- c:\program files\TweetDeck

.

==================== Find3M ====================

.

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 15:32:55.06 ===============

 

here is the attach

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 11/8/2009 10:38:54 PM

System Uptime: 3/26/2011 4:35:42 AM (11 hours ago)

.

Motherboard: ASUSTek Computer INC. | | Amberine M

Processor: AMD Athlon 64 Processor 3500+ | Socket 939 | 1969/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 179 GiB total, 71.403 GiB free.

D: is FIXED (FAT32) - 7 GiB total, 1.188 GiB free.

E: is CDROM (CDFS)

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 3/26/2011 3:22:47 AM - System Checkpoint

.

==== Installed Programs ======================

.

µTorrent

3ivx MPEG-4 5.0.3 (remove only)

5 Card Slingo from Compaq (remove only)

5600

5600_Help

5600Trb

aaa

Adobe AIR

Adobe CMaps CS4

Adobe Default Language CS4

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Media Player

Adobe PDF Library Files CS4

Adobe Photoshop 7.0

Adobe Reader 9.3.4

Adobe Type Support CS4

Agere Systems PCI-SV92PP Soft Modem

AiO_Scan

AiOSoftware

Akamai NetSession Interface

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft VideoImpression 2

Artisteer 2

AstroPop Deluxe from Compaq (remove only)

ATI Control Panel

ATI Display Driver

att.net Internet Mail

Auslogics Disk Defrag

Barnyard Invasion from Compaq (remove only)

Bejeweled 2 Deluxe from Compaq (remove only)

Blackhawk Striker 2 from Compaq (remove only)

Blasterball 2 from Compaq (remove only)

Blasterball 2 Remix from Compaq (remove only)

Boggle Supreme from Compaq (remove only)

Bonjour

Bookworm Deluxe from Compaq (remove only)

Bounce Symphony from Compaq (remove only)

BufferChm

Chuzzle Deluxe from Compaq (remove only)

Comcast High-Speed Internet Install Wizard

Compaq Connections (remove only)

Compaq Game Console and games

Compaq Multimedia Keyboard Software

Compaq Organize

Compatibility Pack for the 2007 Office system

Conduit Engine

Corel Painter X

CP_AtenaShokunin1Config

CP_CalendarTemplates1

cp_LightScribeConfig

cp_LightScribePlugin

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

Crystal Maze from Compaq (remove only)

CueTour

Customer Experience Enhancement

CustomerResearchQFolder

Dealio Toolbar v4.3

Definition update for Microsoft Office 2010 (KB982726)

Destinations

DivX Plus Web Player

DocProc

Easy Internet Sign-up

Facebook Plug-In

Family Feud

FATE from Compaq (remove only)

Fax

FileZilla Client 3.3.2.1

FlipShare

Flock (2.6.2)

FullDPAppQFolder

Google Talk Plugin

Google Toolbar for Internet Explorer

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Boot Optimizer

HP Extended Capabilities 5.3

HP Image Zone 5.3

HP Image Zone Express

HP Imaging Device Functions 5.3

HP PSC & OfficeJet 5.3.B

HP Support Overview

HP Update

HpSdpAppCoreApp

ICQ7.2

Insaniquarium Deluxe from Compaq (remove only)

InstantShareDevices

InterVideo WinDVD Player

iTunes

Japanese Language Support

Java Auto Updater

Java 6 Update 23

jZip

Kalydo Player 3.08.01

Lemonade Tycoon 2 from Compaq (remove only)

Lexibox Deluxe from Compaq (remove only)

LightScribe 1.4.52.1

Mah Jong Quest from Compaq (remove only)

MarketResearch

Media Player Codec Pack 3.9.1

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Money 2005

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 14

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Works

MobileMe Control Panel

Mozilla Firefox 4.0 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NewCopy

OfferBox Browser

ooVoo

OpenOffice.org 3.1

Panda Internet Security 2011

Panda Secure Vault 5

PC-Doctor 5 for Windows

PC Pitstop Exterminate2 2.0

PhotoGallery

Picasa 3

Polar Bowler from Compaq (remove only)

Polar Golfer from Compaq (remove only)

ProductContext

Puzzle Express from Compaq (remove only)

Python 2.2 pywin32 extensions (build 203)

Python 2.2.3

Quicken 2006

QuickTime

RandMap

Readme

RealPlayer

RedMon - Redirection Port Monitor

Remove WeatherBug Installer

Ricochet Lost Worlds from Compaq (remove only)

Safari

Scan

ScannerCopy

SCRABBLE from Compaq (remove only)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Office 2010 (KB2289078)

Security Update for Microsoft Office 2010 (KB2289161)

Security Update for Microsoft Publisher 2010 (KB2409055)

Security Update for Microsoft Word 2010 (KB2345000)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Shooting Stars Pool from Compaq (remove only)

Shrek 2 Ogre Bowler from Compaq (remove only)

SkinsHP1

Skype Recorder

Skype™ 5.1

Slingo Deluxe from Compaq (remove only)

Snowboard SuperJam from Compaq (remove only)

Sonic Express Labeler

Sonic MyDVD Plus

Sonic RecordNow Audio

Sonic RecordNow Copy

Sonic RecordNow Data

Sonic Update Manager

Sonic_PrimoSDK

Status

Super Granny from Compaq (remove only)

Tradewinds from Compaq (remove only)

TrayApp

TweetDeck

Unity Web Player

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2010 (KB2202188)

Update for Microsoft Office 2010 (KB2413186)

Update for Microsoft OneNote 2010 (KB2493983)

Update for Microsoft Outlook Social Connector (KB2289116)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951978)

Update for Windows XP (KB953356)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

USB2.0 PC Camera (SN9C201&202)

uTorrentBar Toolbar

VC80CRTRedist - 8.0.50727.4053

Veoh Video Compass

Veoh Web Player

WebFldrs XP

Wiley CulinarE-Companion

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinHTTrack Website Copier 3.43-9C

XML Copy Editor 1.0.8.2

Yahoo! Messenger

YouTube Downloader 2.6.1

Zoosk Messenger

Zuma Deluxe from Compaq (remove only)

.

==== Event Viewer Messages From Past Week ========

.

3/26/2011 3:22:31 AM, error: Service Control Manager [7000] - The adfs service failed to start due to the following error: The system cannot find the file specified.

.

==== End Of File ===========================

 

 

The last part you told me to do I'm having a issue with unzipping the contents of the rootkit to run it. An C+ error runtime box and says that the program I'm using to unzip the file is asking to close it in an unusual way. I use j-zip I do not have winzip or the money to purchase it at the moment. Any other suggestions?

Share this post


Link to post
Share on other sites
Ok I found another free unzip program and used the GMER Rootkit Scanner but oddy enough another road block. I can't seem to paste or attach the results here. I'm going to see if i can email it to you on here.

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Thank you for the ARK scan.

 

Please work your way through the following steps:

 

  • P2P Programs:

     

     

    • P2P programs are a major source of Malware infections.
    • From your log I see you have µTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
    • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
    • If you wish to keep the program(s), please do not use them until your computer is cleaned.

    • Information regarding the risk of using these programs can be found from here and here.

    • It is strongly recommend that you uninstall any P2P programs you have on your system.

    • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • A list of currently installed programs will be displayed.
    • Find the "µTorrent" program, click on it once and then click on the "Remove" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.

       

       

      PLEASE NOTE:

    • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.

  • Toolbars

     

     

    • I can see that you have uTorrentBar Toolbar and Dealio Toolbar v4.3 installed.
    • We recommend that you uninstall these toolbars from your machine.
    • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • A list of currently installed programs will be displayed.
    • Find each program, click on it once and then click on the "Remove" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.

  • Combofix

     

     

    • Download ComboFix from one of the following locations:

       

      Link 1

      Link 2

    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image

     

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

     

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    • Should there be issues with internet afterward:

       

      In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

       

      In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

    Please post the ComboFix log in your next reply :)

Share this post


Link to post
Share on other sites

I got my desktop back but the background is still red. So far so good it seems. I removed those other programs as well. Do you see anything else that I might need to do?

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Thank you for the log.

 

Do you see anything else that I might need to do

I do :) We still have a bit more work to do so please stay with me until you get the "all clear".

 

  • Please make all files and folders Visible:

     

     

    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Choose to "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files" and the "Hide extensions for known file types" boxes.
    • Close the window with "OK".

  • Please scan the following files

     

     

     

    • On the page you'll find a "Browse" button.
    • Click on the Browse button.
    • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

     

    C:\WINDOWS\system32\smbinstz.dll

     

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.
    • Please repeat this procedure for the following files:

     

    C:\WINDOWS\system32\c_10000F.dll

    I can see evidence of McAfee products on your machine. If you no longer use McAfee let me know and I will provide you with a removal tool.

     

    Please post the VT scan links in your next reply :)

Share this post


Link to post
Share on other sites

There is a problem with the virus scan. Everytime I try to post it into the site it keeps giving me this error that says:Server error!

 

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

 

If you think this is a server error, please contact the. So what next? and I no longer use Mcaffee so please send that tool.

Edited by isiswisdom

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

I no longer use Mcaffee so please send that tool

We will deal with the McAfee leftovers once your machine is clean.

 

Everytime I try to post it into the site it keeps giving me this error that says:Server error!

Strange. I checked a couple of files on my machine and it appears to be working fine.

 

The files I asked you to scan look suspicious to me...

 

Lets try the following scanner instead:

 

 

  • Jotti

     

    Please scan the files using Jotti's Malware File Scanner by clicking here.

     

  • Click on the "Browse" button located at the top of the screen.
  • Navigate to the requested file ().
  • Click on the file you want to be analysed and then click "open".
  • You will see your file appear in the text box on the Jotti site.
  • Click the "Submit" button and wait for your file to be analysed.

Once the file has been analysed, a log will be created. Please post the log for each file that you have scanned in your next reply.

 

If Jotti is busy, please give Virscan a try: http://virscan.org/

 

 

 

Share this post


Link to post
Share on other sites

Filename: smbinst.exe

Status:

Scan finished. 0 out of 20 scanners reported malware.

Scan taken on: Wed 30 Mar 2011 19:01:21 (CET) Permalink

 

Additional info

File size: 8192 bytes

Filetype: PE32 executable for MS Windows (console) Intel 80386 32-bit

MD5: e59ee4d24de74a110a8829fec6c642e4

SHA1: 68ce2d45fc8e0841ec0aa9f91f85bcd6b3f6ca0f

 

 

 

 

Scanners

[ArcaVir]

2011-03-30 Found nothing

[F-Secure Anti-Virus]

2011-03-30 Found nothing

[Avast! antivirus]

2011-03-30 Found nothing

[G DATA]

2011-03-30 Found nothing

[Grisoft AVG Anti-Virus]

2011-03-30 Found nothing

[ikarus]

2011-03-30 Found nothing

[Avira AntiVir]

2011-03-30 Found nothing

[Kaspersky Anti-Virus]

2011-03-30 Found nothing

[softwin BitDefender]

2011-03-30 Found nothing

[ESET NOD32]

2011-03-30 Found nothing

[ClamAV]

2011-03-30 Found nothing

[Panda Antivirus]

2011-03-30 Found nothing

[CPsecure]

2011-03-30 Found nothing

[Quick Heal]

2011-03-30 Found nothing

[Dr.Web]

2011-03-30 Found nothing

[sophos]

2011-03-30 Found nothing

[Emsisoft Anti-Malware]

2011-03-30 Found nothing

[VirusBlokAda VBA32]

2011-03-29 Found nothing

[Frisk F-Prot Antivirus]

2011-03-29 Found nothing

[VirusBuster]

2011-03-30 Found nothing

 

C:\WINDOWS\system32\c_10000F.dll

When I tried to scan this file all 3 websites rejected the file and would not scan them. One site said there was no file to upload the other site just would freeze every time and the other site still keeps saying it's having a server error so unless something is wrong with my browser I can't call why that is happening. I tried a lot of times to get this file scanned. I did find the file it was created on the 26th of this month which was around the time I got the virus and I did at least scan the file with panda and it did not see anything.

Edited by isiswisdom

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

I believe those files ought to be removed from your machine.

 

  • Please work through the following steps

     

     

  • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").

  • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

  • Copy and Paste the text in the quotebox below into the open Notepad window:

     

    File::

    C:\WINDOWS\Fbudacikofe.bin

    C:\WINDOWS\system32\smbinstz.dll

    C:\WINDOWS\system32\c_10000F.dll

     

     

  • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

  • Close any open browsers.

  • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Refering to the picture below, drag CFScript.txt into ComboFix.exe

     

    Posted Image

     

     

  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  • Once the log is produced, re-engage your resident anti virus.

Please post the ComboFix log in your next reply :)

 

 

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Have you performed any kind of restore on this machine since your last post???

 

  • Please work through the following steps

     

     

    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the quotebox below into the open Notepad window:

       

      File::

      c:\windows\Fbudacikofe.bin

      c:\windows\system32\smbinstz.dll

      c:\windows\system32\c_10000F.dll

      c:\windows\azekudatugapojuy.dll

      c:\documents and settings\All Users\Application Data\YmEwGJXgpidLPI.exe

       

      Folder::

      c:\program files\Search Settings

       

      Registry::

      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Afuha]

      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchSettings]

      [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YmEwGJXgpidLPI]

       

       

    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

       

      Posted Image

       

    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.

  • Clean out your temporary files

     

     

    • Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
    • Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
    • Check the boxes to the left of the following:

    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Java Cache

    • The rest are optional. If you want to remove everything check the "Select All" box.
    • Click on "Empty Selected" to begin cleaning.
    • Once the "Done Cleaning" message appears, click OK.
    • If you use Firefox, Click on the Firefox tab and repeat the above process.
    • When you have finished cleaning, click on the "Exit" button in the main menu.

  • Please perform the following scan:

     

     

    • Please download MalwareBytes AntiMalware by clicking here and save the file (called mbam-setup.exe) to your desktop.

    • Double click on the mbam-setup.exe icon to install the program.
    • Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
    • Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

     

    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

    Please post the ComboFix log and the MBAM log in your next reply.

Share this post


Link to post
Share on other sites

no i did not do a restore point but the combofix did create a restore point i don't know why it did that. You must see something that im not seeing so let me run this software and report it here.

 

ComboFix 11-04-02.03 - Compaq_Owner 04/03/2011 16:51:54.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.619 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Owner.ATLANTIS.000\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner.ATLANTIS.000\Desktop\CFScript.txt

AV: Panda Internet Security 2011 *Disabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

FW: Panda Personal Firewall 2011 *Disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

.

FILE ::

"c:\documents and settings\All Users\Application Data\YmEwGJXgpidLPI.exe"

"c:\windows\azekudatugapojuy.dll"

"c:\windows\Fbudacikofe.bin"

"c:\windows\system32\c_10000F.dll"

"c:\windows\system32\smbinstz.dll"

.

.

((((((((((((((((((((((((( Files Created from 2011-03-03 to 2011-04-03 )))))))))))))))))))))))))))))))

.

.

2011-04-01 23:16 . 2011-04-01 23:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Flip Video

2011-04-01 23:14 . 2011-04-01 23:15 -------- d-----w- c:\program files\Flip Video

2011-03-29 05:34 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-03-29 05:34 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2011-03-27 11:42 . 2011-03-27 11:43 -------- d-----w- c:\windows\system32\NtmsData

2011-03-26 21:28 . 2011-03-27 03:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-26 20:10 . 2011-03-26 20:10 -------- d-----w- c:\program files\7-Zip

2011-03-26 08:03 . 2011-03-26 08:03 -------- d-----w- c:\documents and settings\Guest.ATLANTIS\Local Settings\Application Data\Panda Security

2011-03-26 08:03 . 2011-03-26 08:03 -------- d-----w- c:\documents and settings\Guest.ATLANTIS\Local Settings\Application Data\{79D7C555-37D9-480E-B714-90D6B35EE03B}

2011-03-26 07:00 . 2011-03-26 07:00 0 ----a-w- c:\windows\Fbudacikofe.bin

2011-03-26 06:57 . 2011-03-26 06:57 149504 --sha-r- c:\windows\system32\smbinstz.dll

2011-03-26 06:57 . 2011-03-26 06:57 149504 --sha-r- c:\windows\system32\c_10000F.dll

2011-03-24 04:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-24 04:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-24 04:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-24 04:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-24 04:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-24 04:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-24 04:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-24 04:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-03-12 22:20 . 2011-03-12 22:20 -------- d-----w- c:\documents and settings\Midori.ATLANTIS\Local Settings\Application Data\Panda Security

2011-03-11 13:09 . 2011-03-11 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\RegSERVO

2011-03-10 08:07 . 2011-03-10 08:08 -------- dc----w- C:\4ff3ce1b35fd14d537958342742f2058

2011-03-09 05:35 . 2006-07-15 22:20 401510 ----a-w- c:\program files\Mozilla Firefox\extensions\xpcom_core.dll

2011-03-07 15:01 . 2011-03-31 00:12 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys

2011-03-07 15:00 . 2011-03-07 15:00 -------- d-----w- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Panda Security

2011-03-07 14:55 . 2011-04-01 17:10 265320 ----a-w- c:\windows\system32\drivers\APPFCONT.DAT

2011-03-07 14:55 . 2009-09-25 19:54 46856 ----a-w- c:\windows\system32\drivers\wnmflt.sys

2011-03-07 14:55 . 2009-09-25 19:54 193800 ----a-w- c:\windows\system32\drivers\idsflt.sys

2011-03-07 14:55 . 2009-09-25 19:54 53256 ----a-w- c:\windows\system32\drivers\dsaflt.sys

2011-03-07 14:55 . 2010-02-19 00:31 76296 ----a-w- c:\windows\system32\drivers\APPFLT.SYS

2011-03-07 14:55 . 2009-09-25 19:54 159112 ----a-w- c:\windows\system32\drivers\NETFLTDI.SYS

2011-03-07 14:55 . 2009-09-25 19:54 22024 ----a-w- c:\windows\system32\drivers\fnetmon.sys

2011-03-07 14:54 . 2011-03-07 14:54 -------- d-----w- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Application Data\Panda Security

2011-03-07 14:53 . 2009-10-27 17:07 37896 ----a-w- c:\windows\system32\drivers\ShlDrv51.sys

2011-03-07 14:53 . 2011-03-07 14:53 -------- d-----w- c:\program files\Common Files\Panda Security

2011-03-07 14:53 . 2009-09-14 21:18 163336 ----a-w- c:\windows\system32\drivers\PavProc.sys

2011-03-05 19:59 . 2011-03-05 19:59 -------- d-----w- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Application Data\Unity

2011-03-05 19:36 . 2011-03-05 19:36 -------- d-----w- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Unity

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2004-08-04 12:00 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-04 12:00 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-03-18 17:53 . 2011-03-24 04:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" [2010-08-26 988480]

"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe" [2010-06-11 68928]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-21 180269]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

c:\documents and settings\Midori.ATLANTIS\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Administrator.HOME\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

c:\documents and settings\Administrator.ISISWISDOM\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2010-03-24 17:55 55552 ----a-w- c:\windows\system32\avldr.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk

backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk

backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^Compaq Organize.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\Compaq Organize.lnk

backup=c:\windows\pss\Compaq Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^eFax 4.4.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\eFax 4.4.lnk

backup=c:\windows\pss\eFax 4.4.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^ZooskMessenger.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\ZooskMessenger.lnk

backup=c:\windows\pss\ZooskMessenger.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]

2009-10-08 16:13 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

c:\program files\eFax Messenger 4.4\J2GDllCmd.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-08-27 04:51 136176 ----atw- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2008-12-08 20:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NtWqIVLZEWZU]

c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\Ftl.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]

2010-12-29 19:15 22490480 ----a-w- c:\program files\ooVoo\ooVoo.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OUU6KC5WPX]

c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\Fs4.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]

2010-06-11 15:08 68928 ----a-w- c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-01-26 22:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype Recorder]

2011-01-20 19:21 1335296 ----a-w- c:\program files\Skype Recorder\Skype Recorder.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]

2006-09-15 18:21 675840 ----a-w- c:\windows\vsnp2std.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-12-21 21:01 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]

c:\windows\tsnp2std.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

c:\program files\uTorrent\uTorrent.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2009-12-23 19:18 2642168 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VXEG3ZNNE5]

c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\Fs5.exe [bU]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Documents and Settings\\Compaq_Owner.ATLANTIS.000\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

"24726:TCP"= 24726:TCP:FlipShareServer

"24727:TCP"= 24727:TCP:FlipShareServer

.

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [3/7/2011 10:55 AM 26696]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [3/7/2011 10:55 AM 76296]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [3/7/2011 10:55 AM 53256]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [3/7/2011 10:55 AM 22024]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [3/7/2011 10:55 AM 193800]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [3/7/2011 10:55 AM 159112]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [3/7/2011 10:53 AM 37896]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [3/7/2011 10:55 AM 46856]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]

R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [3/7/2011 10:54 AM 59080]

R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]

R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [3/7/2011 10:53 AM 163336]

R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2011\psksvc.exe [3/7/2011 10:55 AM 28992]

R3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [3/7/2011 11:01 AM 13880]

R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [3/7/2011 10:54 AM 199688]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 11:25 AM 30969208]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - FLIPSHARESERVER

*NewlyCreated* - FLIPSHARE_SERVICE

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-04-03 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job

- c:\program files\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-01-17 20:52]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 20:43]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 20:43]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3160022376-2454873356-2939394789-1009Core.job

- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 04:51]

.

2011-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3160022376-2454873356-2939394789-1009UA.job

- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 04:51]

.

2011-03-14 c:\windows\Tasks\HPCeeSchedule.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 03:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Compaq_Owner.ATLANTIS.000\Application Data\Mozilla\Firefox\Profiles\9b3jo2ok.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-03 17:10

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(972)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\avldr.dll

.

- - - - - - - > 'explorer.exe'(1976)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-04-03 17:15:42

ComboFix-quarantined-files.txt 2011-04-03 21:15

ComboFix2.txt 2011-04-03 06:13

ComboFix3.txt 2011-03-27 04:35

ComboFix4.txt 2009-06-26 00:30

.

Pre-Run: 78,067,707,904 bytes free

Post-Run: 78,078,476,288 bytes free

.

- - End Of File - - 71A75C722F728ECC29CE5653B2364D75

 

 

 

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

 

Database version: 6260

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

4/3/2011 5:33:45 PM

mbam-log-2011-04-03 (17-33-45).txt

 

Scan type: Quick scan

Objects scanned: 382109

Time elapsed: 7 minute(s), 19 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

and i cleaned all temp files...

Edited by isiswisdom

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Those files are not being removed from your machine.....

 

Please do the following:

 

  • Please download SystemLook by JPShortstuff

     

     

    • Please download SystemLook by JPShortstuff by clicking here or here and save the file (called SystemLook.exe) to your desktop.
    • Double click SystemLook.exe to run the program.
    • Copy the content of the following codebox into the main textfield:

    :filefind
    *Fbudacikofe*
    *smbinstz*
    *c_10000F*
    

    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    • Note: The log can also be found on your Desktop entitled SystemLook.txt

  • Please update your Java

     

     

    • To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
    • In the window that opens, click on the "Update" tab, and then on "Update Now".
    • Your Java should begin to update. Please follow any prompts that you receive.

  • Please run the following scan

     

     

    • Note: You will need to use Internet Explorer for this scan.
    • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
    • Please disable your real time security programs before performing the scan.

     

    • Scan your system with Eset Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use.
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

     

    • Check Posted Image
    • Click the Posted Image button.
    • Accept any security warnings from your browser.
    • Check Posted Image
    • Make sure that the option to "Remove Found Threats" is UN checked.
    • Push the "Start" button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push Posted Image
    • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the Posted Image button.
    • Push Posted Image

    Please post the SystemLook log and the ESET log in your next reply and let me know exactly how the machine is behaving now, and if you are still experiencing problems.

Share this post


Link to post
Share on other sites

The results of the scanner is quite disturbing I saw at least 5 on my desk top and even more on my daughters desktop geez. That would explain why the computer was acting so slow. It runs better now but you can still hear that crunching noise like java or something. I had to uninstall and reinstall with the latest version of Java. When I went to the site it told me to remove various installations but when I went to add remove programs it had shown only one. However, when you run a search on this computer all kinds of java folders and things came up. I did not delete any of it because some of those files look to be like system files. Just out of curiosity why could I not have those files removed from that program? I know you wanted to see it but I was just wondering.

 

SystemLook 04.09.10 by jpshortstuff

Log created at 07:07 on 05/04/2011 by Compaq_Owner

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "*Fbudacikofe*"

C:\WINDOWS\Fbudacikofe.bin --a---- 0 bytes [07:00 26/03/2011] [07:00 26/03/2011] D41D8CD98F00B204E9800998ECF8427E

 

Searching for "*smbinstz*"

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Recent\smbinstz.dll.lnk --a---- 550 bytes [12:37 28/03/2011] [16:53 30/03/2011] 0037D51562E733865C5887582CFE79A7

C:\WINDOWS\system32\smbinstz.dll -rahs-- 149504 bytes [06:57 26/03/2011] [06:57 26/03/2011] (Unable to calculate MD5)

 

Searching for "*c_10000F*"

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Recent\c_10000F.dll.lnk --a---- 550 bytes [16:04 28/03/2011] [17:10 30/03/2011] B9561E95B0BB7C24B623CFAA806BE39F

C:\WINDOWS\system32\c_10000F.dll -rahs-- 149504 bytes [06:57 26/03/2011] [06:57 26/03/2011] (Unable to calculate MD5)

 

-= EOF =-

 

Eset online scanner results

 

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Application Data\Sun\Java\Deployment\cache\6.0\35\1d42b1a3-448e75af Java/TrojanDownloader.Agent.NCM trojan

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\My Documents\blog photos 1\Downloads\media.player.codec.pack.v3.9.1.setup.exe Win32/Adware.Toolbar.Dealio application

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\My Documents\Downloads\jZipV1c.exe a variant of Win32/Adware.Toolbar.Shopper.AA application

C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\My Documents\Downloads\Downloads\media.player.codec.pack.v3.9.1.setup.exe Win32/Adware.Toolbar.Dealio application

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\10\35ace28a-6117b8fa multiple threats

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\15\399851cf-3283dece probably a variant of Win32/Agent.FQRCZBA trojan

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\24\38566918-426c3127 a variant of Java/TrojanDownloader.Agent.NAN trojan

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\25\16646899-4201d4e9 multiple threats

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\32\4e5c2020-21885f0d multiple threats

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\41\23ea3369-29b74db3 multiple threats

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\41\6aa23129-4275235d a variant of Java/Exploit.Agent.NAC trojan

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\56\2d475f78-7eace744 multiple threats

C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\56\473ab678-6efc9201 a variant of Java/TrojanDownloader.OpenStream.NBF trojan

C:\hp\bin\wbug\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application

C:\hp\drivers\hpiz\autorun.inf INF/Autorun.Sz virus

C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\autorun.inf INF/Autorun.Sz virus

C:\Program Files\HP\Temp\{1A65E29E-5BAF-4452-A111-3290AED6BDBC}\autorun.inf INF/Autorun.Sz virus

C:\Program Files\HP\Temp\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\autorun.inf INF/Autorun.Sz virus

C:\Qoobox\Quarantine\C\WINDOWS\Fmacaa.exe.vir a variant of Win32/Kryptik.LYZ trojan

C:\Qoobox\Quarantine\C\WINDOWS\Fmacab.exe.vir a variant of Win32/Kryptik.LYZ trojan

C:\Qoobox\Quarantine\C\WINDOWS\Fmacac.exe.vir a variant of Win32/Kryptik.LYZ trojan

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0000006.dll a variant of Win32/Cimag.GL trojan

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0001138.rbf a variant of Win32/Adware.Toolbar.Dealio application

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0001143.rbf a variant of Win32/Adware.Toolbar.Dealio application

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0001144.rbf probably a variant of Win32/Adware.Toolbar.Dealio application

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0001492.exe a variant of Win32/Kryptik.LYZ trojan

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0001493.exe a variant of Win32/Kryptik.LYZ trojan

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP2\A0001494.exe a variant of Win32/Kryptik.LYZ trojan

D:\I386\Apps\APP27596\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application

D:\I386\Apps\APP27596\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application

Edited by isiswisdom

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Thank you for the log.

 

Just out of curiosity why could I not have those files removed from that program?

It appears as though the ComboFix script was not executed properly. Those files still need to be removed along with the ESET detections. Lets try and take care of that now.

 

Please make sure that all of your security programs are completely disabled before running the following script:

 

 

  • Please work through the following steps

     

     

  • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").

  • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

  • Copy and Paste the text in the codebox below (including the link) into the open Notepad window:

     

    http://forums.pcpitstop.com/index.php?/topic/194344-lost-desktop-utility-rundll32exe/
    
    Collect::
    C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Recent\smbinstz.dll.lnk
    C:\WINDOWS\system32\smbinstz.dll
    C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Recent\c_10000F.dll.lnk
    C:\WINDOWS\system32\c_10000F.dll
    
    File::
    C:\WINDOWS\Fbudacikofe.bin
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe
    C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\Application Data\Sun\Java\Deployment\cache\6.0\35\1d42b1a3-448e75af
    C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\My Documents\blog photos 1\Downloads\media.player.codec.pack.v3.9.1.setup.exe
    C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\My Documents\Downloads\jZipV1c.exe
    C:\Documents and Settings\Compaq_Owner.ATLANTIS.000\My Documents\Downloads\Downloads\media.player.codec.pack.v3.9.1.setup.exe
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\10\35ace28a-6117b8fa
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\15\399851cf-3283dece
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\24\38566918-426c3127
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\25\16646899-4201d4e9
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\32\4e5c2020-21885f0d
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\41\23ea3369-29b74db3
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\41\6aa23129-4275235d
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\56\2d475f78-7eace744
    C:\Documents and Settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\56\473ab678-6efc9201
    C:\hp\bin\wbug\CompaqPresario_Spring06.exe
    D:\I386\Apps\APP27596\src\CompaqPresario_Spring06.exe
    D:\I386\Apps\APP27596\src\HPPavillion_Spring06.exe
    
    

  • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

  • Close any open browsers.

  • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Refering to the picture below, drag CFScript.txt into ComboFix.exe

     

    Posted Image

     

     

  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • Once the log is produced, re-engage your resident anti virus.
  • Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Please post the ComboFix log in your next reply.

 

Share this post


Link to post
Share on other sites

ComboFix 11-04-05.02 - Compaq_Owner 04/06/2011 12:11:51.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.484 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Owner.ATLANTIS.000\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner.ATLANTIS.000\Desktop\CFScript.txt

AV: Panda Internet Security 2011 *Disabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}

FW: Panda Personal Firewall 2011 *Disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}

.

FILE ::

"c:\documents and settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe"

"c:\documents and settings\Compaq_Owner.ATLANTIS.000\Application Data\Sun\Java\Deployment\cache\6.0\35\1d42b1a3-448e75af"

"c:\documents and settings\Compaq_Owner.ATLANTIS.000\My Documents\blog photos 1\Downloads\media.player.codec.pack.v3.9.1.setup.exe"

"c:\documents and settings\Compaq_Owner.ATLANTIS.000\My Documents\Downloads\Downloads\media.player.codec.pack.v3.9.1.setup.exe"

"c:\documents and settings\Compaq_Owner.ATLANTIS.000\My Documents\Downloads\jZipV1c.exe"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\10\35ace28a-6117b8fa"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\15\399851cf-3283dece"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\24\38566918-426c3127"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\25\16646899-4201d4e9"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\32\4e5c2020-21885f0d"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\41\23ea3369-29b74db3"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\41\6aa23129-4275235d"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\56\2d475f78-7eace744"

"c:\documents and settings\Midori.ATLANTIS\Application Data\Sun\Java\Deployment\cache\6.0\56\473ab678-6efc9201"

"c:\hp\bin\wbug\CompaqPresario_Spring06.exe"

"c:\windows\Fbudacikofe.bin"

"d:\i386\Apps\APP27596\src\CompaqPresario_Spring06.exe"

"d:\i386\Apps\APP27596\src\HPPavillion_Spring06.exe"

.

file zipped: c:\documents and settings\Compaq_Owner.ATLANTIS.000\Recent\c_10000F.dll.lnk

file zipped: c:\documents and settings\Compaq_Owner.ATLANTIS.000\Recent\smbinstz.dll.lnk

file zipped: c:\windows\system32\c_10000F.dll

file zipped: c:\windows\system32\smbinstz.dll

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\~Simone~\WINDOWS

c:\documents and settings\Administrator.HOME\WINDOWS

c:\documents and settings\Administrator.ISISWISDOM\WINDOWS

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\adminstrator\WINDOWS

c:\documents and settings\Compaq_Owner.ATLANTIS.000\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Guest.ATLANTIS\WINDOWS

c:\documents and settings\Guest.HOME\WINDOWS

c:\documents and settings\Guest.ISISWISDOM\WINDOWS

c:\documents and settings\Guest\WINDOWS

c:\documents and settings\Isiswisdom\WINDOWS

c:\documents and settings\Midori.ATLANTIS\WINDOWS

c:\documents and settings\Midori\WINDOWS

c:\documents and settings\TEMP.HOME.000\WINDOWS

c:\documents and settings\TEMP.HOME\WINDOWS

c:\documents and settings\Wordonthestreetsmag\WINDOWS

c:\windows\system32\c_10000F.dll

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\smbinstz.dll

.

.

((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))

.

.

2011-04-05 11:01 . 2011-04-05 11:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-04-05 10:17 . 2011-04-05 10:17 -------- d-----w- c:\documents and settings\LocalService\Application Data\Flip Video

2011-04-03 21:24 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-03 21:24 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-01 23:16 . 2011-04-01 23:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Flip Video

2011-04-01 23:14 . 2011-04-01 23:15 -------- d-----w- c:\program files\Flip Video

2011-03-29 05:34 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2011-03-29 05:34 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2011-03-27 11:42 . 2011-03-27 11:43 -------- d-----w- c:\windows\system32\NtmsData

2011-03-26 21:28 . 2011-04-03 21:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-26 20:10 . 2011-03-26 20:10 -------- d-----w- c:\program files\7-Zip

2011-03-26 08:03 . 2011-03-26 08:03 -------- d-----w- c:\documents and settings\Guest.ATLANTIS\Local Settings\Application Data\Panda Security

2011-03-26 08:03 . 2011-03-26 08:03 -------- d-----w- c:\documents and settings\Guest.ATLANTIS\Local Settings\Application Data\{79D7C555-37D9-480E-B714-90D6B35EE03B}

2011-03-26 07:00 . 2011-03-26 07:00 0 ----a-w- c:\windows\Fbudacikofe.bin

2011-03-24 04:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

2011-03-24 04:43 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-03-24 04:43 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-03-24 04:43 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-03-24 04:43 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-03-24 04:43 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-03-24 04:43 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-03-24 04:43 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-03-12 22:20 . 2011-03-12 22:20 -------- d-----w- c:\documents and settings\Midori.ATLANTIS\Local Settings\Application Data\Panda Security

2011-03-11 13:09 . 2011-03-11 13:09 -------- d-----w- c:\documents and settings\All Users\Application Data\RegSERVO

2011-03-10 08:07 . 2011-03-10 08:08 -------- dc----w- C:\4ff3ce1b35fd14d537958342742f2058

2011-03-09 05:35 . 2006-07-15 22:20 401510 ----a-w- c:\program files\Mozilla Firefox\extensions\xpcom_core.dll

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-06 09:13 . 2011-03-07 15:01 13880 ----a-w- c:\windows\system32\drivers\COMFiltr.sys

2011-04-05 11:01 . 2010-05-30 05:03 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 07:58 . 2004-08-04 12:00 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2004-08-04 12:00 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2004-08-04 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2011-03-18 17:53 . 2011-03-24 04:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"APVXDWIN"="c:\program files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" [2010-08-26 988480]

"SCANINICIO"="c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe" [2010-06-11 68928]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-21 180269]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

c:\documents and settings\Default User\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

c:\documents and settings\Midori.ATLANTIS\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

c:\documents and settings\Administrator.HOME\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

c:\documents and settings\Administrator.ISISWISDOM\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-21 27136]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2010-03-24 17:55 55552 ----a-w- c:\windows\system32\avldr.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk

backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan.lnk

backup=c:\windows\pss\McAfee Security Scan.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=c:\windows\pss\Adobe Gamma.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^Compaq Organize.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\Compaq Organize.lnk

backup=c:\windows\pss\Compaq Organize.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^Dropbox.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\Dropbox.lnk

backup=c:\windows\pss\Dropbox.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^eFax 4.4.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\eFax 4.4.lnk

backup=c:\windows\pss\eFax 4.4.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk

backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ATLANTIS.000^Start Menu^Programs^Startup^ZooskMessenger.lnk]

path=c:\documents and settings\Compaq_Owner.ATLANTIS.000\Start Menu\Programs\Startup\ZooskMessenger.lnk

backup=c:\windows\pss\ZooskMessenger.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-12-14 22:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]

2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]

2009-10-08 16:13 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]

c:\program files\eFax Messenger 4.4\J2GDllCmd.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-08-27 04:51 136176 ----atw- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2008-12-08 20:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

2005-09-21 17:41 1605740 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-03-07 19:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2009-11-10 20:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NtWqIVLZEWZU]

c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\Ftl.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]

2010-12-29 19:15 22490480 ----a-w- c:\program files\ooVoo\ooVoo.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OUU6KC5WPX]

c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\Fs4.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO]

2010-06-11 15:08 68928 ----a-w- c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-01-26 22:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype Recorder]

2011-01-20 19:21 1335296 ----a-w- c:\program files\Skype Recorder\Skype Recorder.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]

2006-09-15 18:21 675840 ----a-w- c:\windows\vsnp2std.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-10-29 18:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-12-21 21:01 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]

c:\windows\tsnp2std.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

c:\program files\uTorrent\uTorrent.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]

2009-12-23 19:18 2642168 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VXEG3ZNNE5]

c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\Fs5.exe [bU]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Documents and Settings\\Compaq_Owner.ATLANTIS.000\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443

"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443

"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674

"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674

"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

"24726:TCP"= 24726:TCP:FlipShareServer

"24727:TCP"= 24727:TCP:FlipShareServer

"1038:TCP"= 1038:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [3/7/2011 10:55 AM 26696]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [3/7/2011 10:55 AM 76296]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [3/7/2011 10:55 AM 53256]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [3/7/2011 10:55 AM 22024]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [3/7/2011 10:55 AM 193800]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [3/7/2011 10:55 AM 159112]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [3/7/2011 10:53 AM 37896]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [3/7/2011 10:55 AM 46856]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]

R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [3/7/2011 10:54 AM 59080]

R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 1:22 PM 1085440]

R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [3/7/2011 10:53 AM 163336]

R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2011\psksvc.exe [3/7/2011 10:55 AM 28992]

R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [3/7/2011 10:54 AM 199688]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

S3 CFcatchme;CFcatchme;\??\c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\COMPAQ~1.000\LOCALS~1\Temp\CFcatchme.sys [?]

S3 ComFiltr;Panda Anti-Dialer;c:\windows\system32\drivers\COMFiltr.sys [3/7/2011 11:01 AM 13880]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 11:25 AM 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-04-06 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job

- c:\program files\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-01-17 20:52]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 20:43]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-27 20:43]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3160022376-2454873356-2939394789-1009Core.job

- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 04:51]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3160022376-2454873356-2939394789-1009UA.job

- c:\documents and settings\Compaq_Owner.ATLANTIS.000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 04:51]

.

2011-03-14 c:\windows\Tasks\HPCeeSchedule.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-09 03:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.att.net

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

FF - ProfilePath - c:\documents and settings\Compaq_Owner.ATLANTIS.000\Application Data\Mozilla\Firefox\Profiles\9b3jo2ok.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-06 12:33

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(924)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\avldr.dll

.

- - - - - - - > 'explorer.exe'(880)

c:\windows\system32\WININET.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Panda Security\Panda Internet Security 2011\TPSrv.exe

c:\program files\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Flip Video\FlipShare\FlipShareService.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Panda Security\Panda Internet Security 2011\PsCtrls.exe

c:\program files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe

c:\program files\Common Files\Panda Security\PavShld\pavprsrv.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PSIService.exe

c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE

c:\program files\Panda Security\Panda Internet Security 2011\PsImSvc.exe

c:\program files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe

c:\program files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-04-06 12:42:55 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-06 16:42

ComboFix2.txt 2011-04-03 21:15

ComboFix3.txt 2011-04-03 06:13

ComboFix4.txt 2011-03-27 04:35

ComboFix5.txt 2011-04-06 16:10

.

Pre-Run: 80,057,835,520 bytes free

Post-Run: 80,165,830,656 bytes free

.

- - End Of File - - AEEBFA61DEC047DD7F9079A5707B637E

Upload was successful

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

Please let me know how your machine is running now.

Share this post


Link to post
Share on other sites

My computer runs a lot better now but for some reason my desktop load time is very slow i checked the star up programs in ms config and only 5 programs start so I don't know if it's a memory issue or not. when I log on to it even when the computer reboots it moves a lot slower now since I ran that eset scan and all those viruses were revealed. But its ok even the browser is acting funny slow and sticking. Just for the record the wordonthestreetsmag is my magazine and I noticed that something on there with that name on had been deleted I hope it was not a folder or something.

Edited by isiswisdom

Share this post


Link to post
Share on other sites

Hello isiswisdom

 

I hope it was not a folder or something

It may be possible that ComboFix has removed something it should not have.

 

Lets find out. We can always restore what was removed so there is no need to worry:

 

Please navigate to and open the following file and post the log:

 

C:\Qoobox\ComboFix-quarantined-files.txt

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...