|
Answer» Okay have run the combofix and the cleaner. Now the Kapersky Lab ask that you turn off antivirus programs to run but I don't feel comfortable doing that is that safe?Yes it's safe.Okay, here is the Kscan report and GMER:
Sunday, July 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 19, 2009 15:18:32
Records in database: 2494909
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 110042
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 01:41:27
No malware has been detected. The scan area is clean.
The selected area was scanned.
GMER:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-19 22:19:25
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT spcs.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spcs.sys ZwEnumerateValueKey [0xB9EC7030]
Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A6501F8
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- EOF - GMER 1.0.15 ----
higruidmydckil & UACd.sys are still showing up in my registry even though everything seems clean, is there anything that will delete them? Thank you for all your help!Download Registry Search by Bobbi Flekman
(see the link titled RegSearch Download Link)
* Extract the files from Regsearch.zip into a folder.
* Doubleclick regsearch.exe to start the program.
* Enter UACd.sys in the top area of the form and then click OK
* Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
* Add the contents of the Notepad file to your next reply.
----------
Also search for higruidmydckil and post that log.Here are the logs from the registry search::
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 7/20/2009 10:22:47 AM for strings:
; 'hjgruidmydckil'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_USERS\S-1-5-21-1277242506-2705649472-1450290610-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet003\\Services\\hjgruidmydckil"
; End Of The Log...
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 7/20/2009 10:51:28 AM for strings:
; 'uacd.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
[HKEY_USERS\S-1-5-21-1277242506-2705649472-1450290610-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet003\\Services\\UACd.sys"
; End Of The Log...
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1
Link #2
**Note: It is important that it is saved directly to your Desktop
DO NOT run it yet!
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
Code: [Select]KillAll::
FixCSet::
Quit::
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
----------
Now the registry again for those entries and post the logs.
.okay here are the logs:
ComboFix 09-07-20.03 - Suil 07/20/2009 20:25.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1385 [GMT -4:00]
Running from: c:\documents and settings\Suil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Suil\Desktop\CFScript.txt
AV: EMBARQ® Online Security 8.00 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: EMBARQ® Online Security 8.00 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.
2009-07-20 18:24 . 2009-07-20 18:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-20 16:51 . 2009-07-20 16:51 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-18 03:00 . 2009-07-18 03:00 -------- d-----w- C:\Rooter$
2009-07-17 17:38 . 2009-07-17 19:22 117760 ----a-w- c:\documents and settings\\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 17:37 . 2009-07-17 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-17 17:37 . 2009-07-20 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-17 17:37 . 2009-07-20 16:23 -------- d-----w- c:\documents and settings\\Application Data\SUPERAntiSpyware.com
2009-07-17 00:02 . 2009-07-17 00:02 -------- d-----w- c:\program files\Alwil Software
2009-07-16 19:56 . 2009-07-16 19:56 -------- d-----w- c:\documents and settings\\Application Data\ImgBurn
2009-07-16 19:50 . 2009-07-16 19:50 -------- d-----w- c:\program files\ImgBurn
2009-07-16 14:17 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-16 14:17 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-16 14:15 . 2009-02-06 09:49 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-16 14:15 . 2009-02-06 09:49 2062976 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-16 02:44 . 2009-07-16 02:44 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-16 00:09 . 2009-07-20 16:47 -------- d-----w- C:\UBCD4Win
2009-07-15 21:02 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-15 20:29 . 2009-07-15 20:29 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-15 20:28 . 2009-07-15 20:28 152576 ----a-w- c:\documents and settings\\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-07-15 19:30 . 2009-07-15 19:30 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-15 17:29 . 2004-08-04 10:00 456704 -c--a-w- c:\windows\system32\dllcache\smtpsvc.dll
2009-07-15 17:28 . 2004-08-04 10:00 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2009-07-15 17:27 . 2004-08-04 10:00 829440 -c--a-w- c:\windows\system32\dllcache\inetmgr.dll
2009-07-15 17:24 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-07-15 17:08 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2009-07-15 17:08 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2009-07-15 17:08 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2009-07-15 17:08 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2009-07-15 17:08 . 2009-07-15 17:08 -------- d-s---w- c:\windows\system32\config\systemprofile\History
2009-07-15 12:54 . 2009-07-15 12:54 -------- d-----w- c:\windows\dell
2009-07-14 19:35 . 2009-07-14 19:35 -------- d-----w- c:\program files\Windows Resource Kits
2009-07-14 18:09 . 2009-07-14 18:09 -------- d-sh--w- c:\documents and settings\\PrivacIE
2009-07-14 18:05 . 2009-07-14 18:05 -------- d-sh--w- c:\documents and settings\\IETldCache
2009-07-14 18:04 . 2009-07-14 18:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-14 18:03 . 2009-07-14 18:03 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-14 18:01 . 2009-07-14 18:01 -------- d-----w- c:\windows\ie8updates
2009-07-14 17:59 . 2009-07-14 18:00 -------- dc-h--w- c:\windows\ie8
2009-07-13 00:22 . 2009-07-13 00:22 -------- d-----w- c:\documents and settings\\Application Data\Apple Computer
2009-07-12 23:52 . 2009-07-12 23:52 -------- d-----w- c:\program files\Trend Micro
2009-07-12 00:29 . 2009-07-12 00:29 -------- d-----w- c:\documents and settings\\Application Data\Malwarebytes
2009-07-12 00:29 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 00:29 . 2009-07-15 19:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-12 00:29 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 00:29 . 2009-07-12 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-11 01:26 . 2009-07-11 01:26 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-07-09 00:00 . 2009-07-09 00:01 -------- d-----w- c:\program files\QuickTime
2009-07-09 00:00 . 2009-07-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-09 00:00 . 2009-07-09 00:00 -------- d-----w- c:\documents and settings\\Local Settings\Application Data\Apple
2009-07-08 23:59 . 2009-07-09 00:00 -------- d-----w- c:\program files\Apple Software Update
2009-07-08 23:59 . 2009-07-08 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-08 23:59 . 2009-07-08 23:59 -------- d-----w- c:\documents and settings\\Local Settings\Application Data\Apple Computer
2009-06-29 21:10 . 2009-06-29 21:10 -------- d-----w- c:\program files\IKEA HomePlanner
2009-06-29 21:10 . 2009-07-20 16:59 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 12:14 . 2009-06-23 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-06-23 12:14 . 2009-06-23 12:14 -------- d-----w- c:\documents and settings\\Application Data\HPAppData
2009-06-23 12:11 . 2009-06-23 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-23 12:07 . 2009-07-09 13:46 145901 ----a-w- c:\windows\hpoins21.dat
2009-06-23 12:07 . 2007-09-05 18:26 8138 ----a-w- c:\windows\hpomdl21.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 00:03 . 2009-06-05 16:12 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-20 21:04 . 2008-11-14 22:09 -------- d-----w- c:\program files\Embarq Online Security 8
2009-07-20 16:53 . 2008-09-15 14:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-17 19:35 . 2006-05-30 20:23 -------- d-----w- c:\program files\Java
2009-07-17 02:28 . 2006-06-04 16:29 204744 ----a-w- c:\documents and settings\\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 02:44 . 2006-05-30 20:26 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-15 19:21 . 2006-06-07 22:14 302 ----a-w- c:\windows\system32\wacom.dat
2009-07-15 17:23 . 2004-08-11 22:12 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-11 00:58 . 2006-06-14 20:25 163712 ----a-w- c:\windows\system32\drivers\vidstub.*censored*
2009-07-08 13:44 . 2008-11-14 22:21 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2009-06-23 12:14 . 2006-10-15 23:19 -------- d-----w- c:\program files\HP
2009-06-23 00:57 . 2006-10-15 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-16 14:55 . 2004-08-04 10:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-11 14:55 . 2009-06-11 14:56 25784 ----a-w- c:\windows\Fonts\ROTORCAP.TTF
2009-06-11 14:43 . 2009-06-11 14:44 37388 ----a-w- c:\windows\Fonts\visitor2.ttf
2009-06-11 14:43 . 2009-06-11 14:44 3520 ----a-w- c:\windows\Fonts\VISITOR.FON
2009-06-11 14:43 . 2009-06-11 14:44 3856 ----a-w- c:\windows\Fonts\mints-strong.fon
2009-06-11 14:39 . 2009-06-11 14:40 256880 ----a-w- c:\windows\Fonts\Calibribold.ttf
2009-06-11 14:39 . 2009-06-11 14:40 367620 ----a-w- c:\windows\Fonts\CalibriIz.TTF
2009-06-11 14:39 . 2009-06-11 14:40 36648 ----a-w- c:\windows\Fonts\MARKEN__.TTF
2009-06-11 14:39 . 2009-06-11 14:40 36552 ----a-w- c:\windows\Fonts\MARKEN__CAPS.ttf
2009-06-11 14:35 . 2009-06-11 14:36 52680 ----a-w- c:\windows\Fonts\STAN0757CAPS.TTF
2009-06-11 14:35 . 2009-06-11 14:36 316876 ----a-w- c:\windows\Fonts\arialcaps.ttf
2009-06-11 02:44 . 2009-06-11 02:45 46596 ----a-w- c:\windows\Fonts\Arial Special G1 Caps.ttf
2009-06-11 02:12 . 2009-06-11 02:13 71132 ----a-w- c:\windows\Fonts\ITC Avant Garde Gothic LT Bold.ttf
2009-06-11 02:12 . 2009-06-11 02:13 70040 ----a-w- c:\windows\Fonts\ITC Avant Garde Gothic LT Medium.ttf
2009-06-11 02:12 . 2009-06-11 02:13 6928 ----a-w- c:\windows\Fonts\HaxrCorp 4088.fon
2009-06-11 02:12 . 2009-06-11 02:13 64396 ----a-w- c:\windows\Fonts\ITC Avant Garde Gothic LT Medium Caps.ttf
2009-06-11 02:12 . 2009-06-11 02:13 4240 ----a-w- c:\windows\Fonts\HaxrCorp Caps.FON
2009-06-11 02:12 . 2009-06-11 02:13 254296 ----a-w- c:\windows\Fonts\calibri.ttf
2009-06-11 02:03 . 2009-06-11 02:03 -------- d-----w- c:\program files\Free RAR Extract Frog
2009-06-07 03:15 . 2009-06-07 03:15 47792 ----a-w- c:\windows\Fonts\HOOG0554.TTF
2009-06-07 02:52 . 2009-06-07 02:53 46368 ----a-w- c:\windows\Fonts\Kroe0555caps.ttf
2009-06-07 02:52 . 2009-06-07 02:53 3952 ----a-w- c:\windows\Fonts\Kroeger0.fon
2009-06-07 02:52 . 2009-06-07 02:53 22464 ----a-w- c:\windows\Fonts\pf_tempesta_seven_extended.ttf
2009-06-07 02:52 . 2009-06-07 02:53 22176 ----a-w- c:\windows\Fonts\pf_tempesta_seven.ttf
2009-06-07 02:52 . 2009-06-07 02:53 22160 ----a-w- c:\windows\Fonts\pf_tempesta_seven_extended_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53 21780 ----a-w- c:\windows\Fonts\pf_tempesta_seven_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53 21616 ----a-w- c:\windows\Fonts\pf_tempesta_seven_condensed.ttf
2009-06-07 02:52 . 2009-06-07 02:53 21160 ----a-w- c:\windows\Fonts\pf_tempesta_seven_condensed_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53 20796 ----a-w- c:\windows\Fonts\pf_tempesta_seven_compressed_bold.ttf
2009-06-07 02:52 . 2009-06-07 02:53 20396 ----a-w- c:\windows\Fonts\pf_tempesta_seven_compressed.ttf
2009-06-07 02:37 . 2009-06-07 02:38 48080 ----a-w- c:\windows\Fonts\KROE0555.TTF
2009-06-07 02:37 . 2009-06-07 02:38 365264 ----a-w- c:\windows\Fonts\Segoe UI .ttf
2009-06-07 02:37 . 2009-06-07 02:38 12056 ----a-w- c:\windows\Fonts\Blank.ttf
2009-06-05 16:13 . 2009-06-05 16:13 -------- d-----w- c:\documents and settings\Suil\Application Data\Thunderbird
2009-06-03 19:27 . 2004-08-04 10:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:52 . 2006-03-04 03:33 659456 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:52 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-15 14:37 . 2008-09-17 21:10 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-06-05 22:05 . 2006-06-05 22:05 56 --sha-r- c:\windows\system32\0E1A64F2CB.sys
2006-06-05 22:05 . 2006-06-05 22:05 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-15 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 987187]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-16 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"F-Secure Manager"="c:\program files\Embarq Online Security 8\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Embarq Online Security 8\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-15 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-16 397312]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-4 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-4 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-30 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TabletService"=2 (0x2)
"stllssvr"=3 (0x3)
"gusvc"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [11/14/2008 6:21 PM 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [11/14/2008 6:10 PM 79904]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Embarq Online Security 8\HIPS\drivers\fshs.sys [11/14/2008 6:10 PM 66720]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [7/22/2006 10:40 AM 8192]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Embarq Online Security 8\Anti-Virus\minifilter\fsgk.sys [11/14/2008 6:09 PM 99960]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Embarq Online Security 8\ORSP Client\fsorsp.exe [11/14/2008 6:10 PM 55904]
S2 BootScreen;BootScreen;c:\windows\system32\drivers\vidstub.sys --> c:\windows\system32\drivers\vidstub.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/13/2008 5:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/13/2008 5:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/13/2008 5:49 PM 23680]
S3 VirtualDK;VirtualDK;\??\c:\ubcd4win\vdk.sys --> c:\ubcd4win\vdk.sys [?]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Embarq Online Security 8\Anti-Virus\win2k\fsfilter.sys [11/14/2008 6:09 PM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Embarq Online Security 8\Anti-Virus\win2k\fsrec.sys [11/14/2008 6:09 PM 25184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-07-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-14 03:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com/?ctid=CT1978305
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 127.0.0.1:8100
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Embarq Online Security 8\FSPS\program\fslsp.dll
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\\Application Data\Mozilla\Firefox\Profiles\9lqkiec1.Default User\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?continue=http://www.google.com/ig&followup=http://www.google.com/ig&service=ig&passive=true&cd=US&hl=en&nui=1<mpl=default
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 20:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\Æ 3*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll
- - - - - - - > 'lsass.exe'(932)
c:\program files\Embarq Online Security 8\FSPS\program\fslsp.dll
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll
- - - - - - - > 'explorer.exe'(5384)
c:\program files\Embarq Online Security 8\Spam Control\fsscoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
- - - - - - - > 'csrss.exe'(848)
c:\program files\Embarq Online Security 8\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Embarq Online Security 8\Anti-Virus\fsgk32st.exe
c:\program files\Embarq Online Security 8\Common\FSMA32.EXE
c:\program files\Embarq Online Security 8\Anti-Virus\fsgk32.exe
c:\program files\Embarq Online Security 8\Common\FSMB32.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\pvsw\bin\w3dbsmgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Embarq Online Security 8\Common\FCH32.EXE
c:\program files\Embarq Online Security 8\Anti-Virus\fsqh.exe
c:\program files\Embarq Online Security 8\Common\FAMEH32.EXE
c:\program files\Embarq Online Security 8\FSPC\fspc.exe
c:\program files\Embarq Online Security 8\FSAUA\program\fsaua.exe
c:\program files\Embarq Online Security 8\Anti-Virus\fssm32.exe
c:\program files\Embarq Online Security 8\FWES\program\fsdfwd.exe
c:\program files\Embarq Online Security 8\FSAUA\program\fsus.exe
c:\progra~1\EMBARQ~1\ANTI-V~1\fsav32.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\progra~1\EMBARQ~1\Common\FSM32.EXE
c:\program files\Embarq Online Security 8\FSGUI\fsguidll.exe
c:\program files\Dell Support Center\gs_agent\dsc.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-07-21 20:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-21 00:39
Pre-Run: 10,793,132,032 bytes free
Post-Run: 10,828,546,048 bytes free
436 --- E O F --- 2009-07-19 20:13
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 7/20/2009 8:48:40 PM for strings:
; 'hjgruidmydckil'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 7/20/2009 8:44:06 PM for strings:
; 'uacd.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...Looks like that fixed it.
How is the computer running now?Thank you Mr.EvilFantasy!!! it seems to be doing FINE. I am having a few other issues but I think that is because I had to replace a system file and NOTHING to do with viruses... all well...thanks again and I will send anyone else with a malware problem your way.... Your welcome.
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
.
The above procedure will:- Delete: ComboFix and its associated files and folders.
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
Use the Secunia Software Inspector to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Go to Microsoft Windows Update and get all critical updates.
----------
I suggest using WOT - WEB of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ
Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
----------
Let me know if anything else comes up.
Safe surfing..,
|
