8 Steps Complete

Inactive
By msvaughan
Nov 15, 2010
Topic Status:
Not open for further replies.
  1. I am helping a friend out with his Laptop. Dell Latitude 131L
    He has gotten several viruses that I thought I cleaned up, but yesterday someone sent over 600 e-mails from his hotmail account. He thinks it was hacked, I think it was a virus.

    I have don't 3 different scans, MS Security Essentials, Trend Micro and Malware Antibytes and found nothing. Here are the other logs as requested in the 8 steps.

    Thanks for your help in advance

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5117

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/14/2010 8:52:28 PM
    mbam-log-2010-11-14 (20-52-28).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 193553
    Time elapsed: 57 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ----------------------------------------------------------------------------------

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-11-14 22:05:34
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8034GSX rev.AH301D
    Running: 48vdc9zx.exe; Driver: C:\DOCUME~1\DELLCU~1\LOCALS~1\Temp\kflyrpow.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[2436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3156] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10405CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \FileSystem\Fastfat \Fat AE067D20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

    ---- EOF - GMER 1.0.15 ----

    DDS (Ver_10-11-10.01) - NTFSx86
    Run by Dell Customer at 22:08:19.46 on Sun 11/14/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1219 [GMT -5:00]

    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Dell Customer\Desktop\dds.scr
    \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

    ============== Pseudo HJT Report ===============

    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
    uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    Trusted Zone: intuit.com\ttlc
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177373752500
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\dellcu~1\applic~1\mozilla\firefox\profiles\7s6eghe1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com
    FF - plugin: c:\documents and settings\dell customer\application data\mozilla\firefox\profiles\7s6eghe1.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {296F8082-177E-4560-AF57-66657CC3B8DB} - c:\documents and settings\dell customer\local settings\application data\{296F8082-177E-4560-AF57-66657CC3B8DB}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

    ============= SERVICES / DRIVERS ===============

    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 151216]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

    =============== Created Last 30 ================

    2010-11-15 00:33:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-15 00:33:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-15 00:33:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-14 11:56:12 6146896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{79f13ae7-a571-4750-8d01-9ea0feebdac3}\mpengine.dll
    2010-11-13 17:50:05 -------- d-----w- c:\program files\iPod
    2010-11-13 17:49:58 -------- d-----w- c:\program files\iTunes
    2010-10-22 15:14:14 -------- d-----w- c:\docume~1\dellcu~1\applic~1\Malwarebytes
    2010-10-22 15:14:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

    ==================== Find3M ====================

    2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-04 10:22:49 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-09-28 10:13:21 0 ----a-w- c:\windows\Fcozig.bin
    2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

    ============= FINISH: 22:08:39.10 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-10.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 4/23/2007 5:36:17 PM
    System Uptime: 11/14/2010 7:49:44 PM (3 hours ago)

    Motherboard: Dell Inc. | | 0PM607
    Processor: Mobile AMD Sempron(tm) Processor 3500+ | Socket M2/S1G1 | 1795/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 74 GiB total, 47.127 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Dell Wireless 1390 WLAN Mini-Card
    Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&232B014&0&0030
    Manufacturer: Broadcom
    Name: Dell Wireless 1390 WLAN Mini-Card
    PNP Device ID: PCI\VEN_14E4&DEV_4311&SUBSYS_00071028&REV_01\4&232B014&0&0030
    Service: BCM43XX

    ==== System Restore Points ===================

    RP1159: 8/17/2010 5:45:11 PM - System Checkpoint
    RP1160: 8/19/2010 8:48:26 PM - System Checkpoint
    RP1161: 8/20/2010 9:42:39 PM - System Checkpoint
    RP1162: 8/24/2010 7:15:09 PM - System Checkpoint
    RP1163: 8/25/2010 9:18:35 PM - System Checkpoint
    RP1164: 8/26/2010 6:28:07 PM - Removed ATI RADEON 9800 Chimp Demo v1.0
    RP1165: 8/26/2010 6:29:58 PM - Removed ATI RADEON 9700 Pipe Dream Demo v1.1
    RP1166: 8/26/2010 6:30:45 PM - Removed Garmin WebUpdater
    RP1167: 8/26/2010 6:32:07 PM - Removed Roxio Creator Audio
    RP1168: 8/26/2010 6:33:35 PM - Removed Roxio Creator DE
    RP1169: 8/26/2010 6:34:16 PM - Removed Roxio Creator Tools
    RP1170: 8/26/2010 6:36:04 PM - Removed Bonjour
    RP1171: 8/27/2010 7:30:20 PM - System Checkpoint
    RP1172: 8/28/2010 8:24:21 PM - System Checkpoint
    RP1173: 8/29/2010 8:41:18 PM - System Checkpoint
    RP1174: 8/31/2010 6:45:53 AM - System Checkpoint
    RP1175: 9/1/2010 6:47:03 AM - System Checkpoint
    RP1176: 9/2/2010 7:26:29 AM - System Checkpoint
    RP1177: 9/3/2010 7:52:48 AM - System Checkpoint
    RP1178: 9/4/2010 8:14:53 AM - System Checkpoint
    RP1179: 9/4/2010 1:07:43 PM - Software Distribution Service 3.0
    RP1180: 9/5/2010 2:05:47 PM - System Checkpoint
    RP1181: 9/6/2010 2:11:10 PM - System Checkpoint
    RP1182: 9/7/2010 3:09:22 PM - System Checkpoint
    RP1183: 9/8/2010 3:37:09 PM - System Checkpoint
    RP1184: 9/9/2010 8:48:48 AM - Avg Update
    RP1185: 9/10/2010 9:00:40 AM - System Checkpoint
    RP1186: 9/11/2010 10:24:33 AM - System Checkpoint
    RP1187: 9/12/2010 10:36:10 AM - System Checkpoint
    RP1188: 9/13/2010 11:29:24 AM - System Checkpoint
    RP1189: 9/14/2010 12:58:01 PM - System Checkpoint
    RP1190: 9/15/2010 10:49:28 AM - Software Distribution Service 3.0
    RP1191: 9/16/2010 10:51:19 AM - System Checkpoint
    RP1192: 9/17/2010 11:53:37 AM - System Checkpoint
    RP1193: 9/18/2010 1:01:03 PM - System Checkpoint
    RP1194: 9/19/2010 1:25:39 PM - System Checkpoint
    RP1195: 9/20/2010 1:47:21 PM - System Checkpoint
    RP1196: 9/21/2010 2:11:06 PM - System Checkpoint
    RP1197: 9/22/2010 2:25:14 PM - System Checkpoint
    RP1198: 9/23/2010 9:49:37 AM - Avg Update
    RP1199: 9/23/2010 9:50:51 AM - Avg Update
    RP1200: 9/24/2010 10:41:24 AM - System Checkpoint
    RP1201: 9/25/2010 10:48:14 AM - System Checkpoint
    RP1202: 9/26/2010 10:57:30 AM - System Checkpoint
    RP1203: 9/27/2010 11:12:27 AM - System Checkpoint
    RP1204: 9/28/2010 12:33:20 PM - System Checkpoint
    RP1205: 9/28/2010 7:01:57 PM - Software Distribution Service 3.0
    RP1206: 9/28/2010 7:04:53 PM - Removed AVG Free 9.0
    RP1207: 9/28/2010 7:06:49 PM - Microsoft Antimalware Checkpoint
    RP1208: 9/28/2010 7:27:06 PM - Software Distribution Service 3.0
    RP1209: 9/29/2010 5:32:11 AM - Software Distribution Service 3.0
    RP1210: 9/30/2010 4:48:34 AM - Software Distribution Service 3.0
    RP1211: 10/1/2010 5:12:45 AM - Software Distribution Service 3.0
    RP1212: 10/2/2010 1:28:44 PM - Software Distribution Service 3.0
    RP1213: 10/3/2010 2:06:11 PM - System Checkpoint
    RP1214: 10/4/2010 6:26:59 AM - Software Distribution Service 3.0
    RP1215: 10/4/2010 1:08:28 PM - Software Distribution Service 3.0
    RP1216: 10/5/2010 2:01:19 PM - System Checkpoint
    RP1217: 10/6/2010 6:16:20 AM - Software Distribution Service 3.0
    RP1218: 10/7/2010 6:20:57 AM - Software Distribution Service 3.0
    RP1219: 10/8/2010 6:25:14 AM - Software Distribution Service 3.0
    RP1220: 10/8/2010 6:26:51 AM - Software Distribution Service 3.0
    RP1221: 10/9/2010 7:00:17 AM - System Checkpoint
    RP1222: 10/10/2010 6:48:41 AM - Software Distribution Service 3.0
    RP1223: 10/11/2010 7:31:29 AM - System Checkpoint
    RP1224: 10/11/2010 12:55:18 PM - Software Distribution Service 3.0
    RP1225: 10/12/2010 1:22:37 PM - System Checkpoint
    RP1226: 10/13/2010 6:23:59 AM - Software Distribution Service 3.0
    RP1227: 10/13/2010 6:34:48 AM - Software Distribution Service 3.0
    RP1228: 10/14/2010 6:31:16 AM - Software Distribution Service 3.0
    RP1229: 10/14/2010 8:53:44 PM - Software Distribution Service 3.0
    RP1230: 10/16/2010 6:11:27 AM - Software Distribution Service 3.0
    RP1231: 10/17/2010 6:34:17 AM - Software Distribution Service 3.0
    RP1232: 10/18/2010 7:44:12 AM - System Checkpoint
    RP1233: 10/18/2010 1:24:00 PM - Software Distribution Service 3.0
    RP1234: 10/19/2010 1:49:05 PM - System Checkpoint
    RP1235: 10/19/2010 11:29:17 PM - Software Distribution Service 3.0
    RP1236: 10/20/2010 6:41:31 AM - Software Distribution Service 3.0
    RP1237: 10/21/2010 6:56:03 AM - Software Distribution Service 3.0
    RP1238: 10/22/2010 7:00:06 AM - System Checkpoint
    RP1239: 10/22/2010 10:51:20 AM - Software Distribution Service 3.0
    RP1240: 10/23/2010 11:46:19 AM - System Checkpoint
    RP1241: 10/24/2010 6:50:55 AM - Software Distribution Service 3.0
    RP1242: 10/25/2010 10:05:13 AM - Software Distribution Service 3.0
    RP1243: 10/25/2010 1:16:00 PM - Cleaned registry with Windows Live OneCare safety scanner
    RP1244: 10/25/2010 1:18:16 PM - Cleaned registry with Windows Live OneCare safety scanner
    RP1245: 10/26/2010 1:58:35 PM - System Checkpoint
    RP1246: 10/27/2010 3:10:26 PM - System Checkpoint
    RP1247: 10/28/2010 6:59:56 AM - Software Distribution Service 3.0
    RP1248: 10/29/2010 7:08:16 AM - Software Distribution Service 3.0
    RP1249: 10/30/2010 11:37:11 AM - Software Distribution Service 3.0
    RP1250: 10/31/2010 11:59:33 AM - System Checkpoint
    RP1251: 11/1/2010 5:47:25 AM - Software Distribution Service 3.0
    RP1252: 11/1/2010 12:47:33 PM - Software Distribution Service 3.0
    RP1253: 11/2/2010 1:29:51 PM - System Checkpoint
    RP1254: 11/3/2010 6:25:37 AM - Software Distribution Service 3.0
    RP1255: 11/4/2010 7:57:16 AM - System Checkpoint
    RP1256: 11/5/2010 6:16:23 AM - Software Distribution Service 3.0
    RP1257: 11/6/2010 6:42:13 AM - Software Distribution Service 3.0
    RP1258: 11/7/2010 6:43:01 AM - System Checkpoint
    RP1259: 11/8/2010 6:07:53 AM - Software Distribution Service 3.0
    RP1260: 11/8/2010 12:42:31 PM - Software Distribution Service 3.0
    RP1261: 11/9/2010 12:44:55 PM - System Checkpoint
    RP1262: 11/10/2010 6:19:45 AM - Software Distribution Service 3.0
    RP1263: 11/10/2010 6:23:20 AM - Software Distribution Service 3.0
    RP1264: 11/11/2010 7:27:37 AM - System Checkpoint
    RP1265: 11/12/2010 6:15:38 AM - Software Distribution Service 3.0
    RP1266: 11/13/2010 6:38:48 AM - Software Distribution Service 3.0
    RP1267: 11/14/2010 6:55:51 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================


    Adobe Flash Player 10 Plugin
    Adobe Flash Player 9 ActiveX
    Adobe Reader 8.1.3
    AMD Processor Driver
    AnswerWorks 4.0 Runtime - English
    AnswerWorks 5.0 English Runtime
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Astro Gemini Screensaver Manager 1.2
    ATI Catalyst Control Center
    ATI Display Driver
    Bonjour
    Broadcom Management Programs
    CCleaner (remove only)
    Conexant HDA D110 MDC V.92 Modem
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Wireless WLAN Card
    Digital Line Detect
    Garmin City Navigator Europe NT 2010
    Garmin City Navigator North America 2009
    Garmin City Navigator North America NT 2009 Update
    Garmin City Navigator North America NT 2010.30
    Garmin Communicator Plugin
    Garmin MapSource
    Garmin POI Loader
    Garmin USB Drivers
    Garmin WebUpdater
    Google Earth
    Google Update Helper
    Hampton Hotels eDirectory with MultiView Reader
    Hitman Pro 3.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    IE New Window Maximizer 2.4
    iPhone Configuration Utility
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) SE Runtime Environment 6 Update 1
    Lexmark Z600 Series
    Lotus SmartSuite Release 9.5
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft English TTS Engine
    Microsoft IntelliPoint 6.01
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Access database engine 2007 (English)
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Streets & Trips 2009
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    MobileMe Control Panel
    Modem Helper
    Mozilla Firefox (3.6.12)
    MSXML 6 Service Pack 2 (KB954459)
    NetWaiting
    Octoshape add-in for Adobe Flash Player
    PowerDVD 5.7
    QuickSet
    QuickTime
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic Activation Module
    Sony USB Driver
    Spelling Dictionaries Support For Adobe Reader 8
    Synaptics Pointing Device Driver
    TurboTax 2008
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax Basic 2007
    TurboTax ItsDeductible 2006
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WexTech AnswerWorks
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0

    ==== Event Viewer Messages From Past Week ========

    11/9/2010 6:40:57 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 0019B96884F1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    11/14/2010 9:05:41 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    11/14/2010 7:47:17 PM, error: Service Control Manager [7034] - The NICCONFIGSVC service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:17 PM, error: Service Control Manager [7034] - The LexBce Server service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:17 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:17 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:17 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:17 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/14/2010 7:47:16 PM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:16 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    11/14/2010 7:47:16 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot. I'll help with the malware. But first, tell me if there are any other possibly malware related problem other than the emails.
    Do you mean that people got emails with his name on them that he did not send? Are you aware that if someone has his email address in his Contacts and they get a mass mailing Worm, that the emails get sent out in the name of everyone listed in the Contacts with their name on them?

    I see some entries that will need to be removed but would appreciate any additional information from you. In the meantime, go ahead and run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ==========================================
    Go ahead and update the Java> it is way out of date and a vulnerability: Check this site :Java Updates Stay current as most updates are for security. Currently he has v6u1 and the most current is v6u22. Uninstall any earlier versions in Add/Remove Programs.
    ========================================
    Please uninstall this program now: Hitman Pro 3.5

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Again, thanks for your help!

    You can actually see in his sent folder over 600 e-mails that were sent out. So maybe they hacked it externally and we just need to change his password. Thoughts?

    Okay here is what you have asked for:
    1. Hitman Pro uninstalled.
    2. Java Updated to 6.22
    3. Old Java Uninstalled

    Logs following:
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=f364e9bf590968499b0a0951b9bdce0b
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-15 03:24:19
    # local_time=2010-11-15 10:24:19 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=5891 16776869 100 100 0 19344059 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=61122
    # found=0
    # cleaned=0
    # scan_time=1980

    ComboFix 10-11-14.04 - Dell Customer 11/15/2010 10:35:04.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1385 [GMT -5:00]
    Running from: c:\documents and settings\Dell Customer\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Dell Customer\GoToAssistDownloadHelper.exe
    c:\documents and settings\Dell Customer\Local Settings\Application Data\{296F8082-177E-4560-AF57-66657CC3B8DB}
    c:\documents and settings\Dell Customer\Local Settings\Application Data\{296F8082-177E-4560-AF57-66657CC3B8DB}\chrome.manifest
    c:\documents and settings\Dell Customer\Local Settings\Application Data\{296F8082-177E-4560-AF57-66657CC3B8DB}\chrome\content\_cfg.js
    c:\documents and settings\Dell Customer\Local Settings\Application Data\{296F8082-177E-4560-AF57-66657CC3B8DB}\chrome\content\overlay.xul
    c:\documents and settings\Dell Customer\Local Settings\Application Data\{296F8082-177E-4560-AF57-66657CC3B8DB}\install.rdf
    c:\windows\winhelp.ini

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-15 to 2010-11-15 )))))))))))))))))))))))))))))))
    .

    2010-11-15 14:42 . 2010-11-15 14:42 -------- d-----w- c:\program files\ESET
    2010-11-15 12:18 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4C139F02-B7AE-461F-A97C-B7525E20FFC2}\mpengine.dll
    2010-11-15 00:33 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-15 00:33 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-15 00:33 . 2010-11-15 00:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 17:50 . 2010-11-13 17:50 -------- d-----w- c:\program files\iPod
    2010-11-13 17:49 . 2010-11-13 17:51 -------- d-----w- c:\program files\iTunes
    2010-10-26 18:27 . 2010-10-26 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2010-10-25 15:21 . 2010-10-25 17:14 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-10-22 15:14 . 2010-10-22 15:14 -------- d-----w- c:\documents and settings\Dell Customer\Application Data\Malwarebytes
    2010-10-22 15:14 . 2010-10-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-14 21:47 . 2010-09-28 23:20 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-10-19 20:51 . 2010-09-28 23:01 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2010-09-30 08:48 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-10-04 10:22 . 2010-09-28 23:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-09-28 23:02 . 2010-09-28 23:27 6084944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2010-09-18 16:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2004-08-10 17:50 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-10 17:51 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-10 17:51 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-10 17:51 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 11:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2004-08-10 17:50 617472 ----a-w- c:\windows\system32\comctl32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2006-05-10 16:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-11-23 05:35 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE New Window Maximizer]
    2005-02-09 03:06 356352 ----a-w- c:\program files\IE New Window Maximizer\iemaximizer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-11 05:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-09-22 16:06 282624 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2006-09-22 18:28 761947 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-11-04 22:40 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:06 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-08 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

    2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:05]

    2010-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:05]

    2010-11-15 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
    uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\documents and settings\Dell Customer\Application Data\Mozilla\Firefox\Profiles\7s6eghe1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com
    FF - plugin: c:\documents and settings\Dell Customer\Application Data\Mozilla\Firefox\Profiles\7s6eghe1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-15 10:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(624)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2010-11-15 10:39:45
    ComboFix-quarantined-files.txt 2010-11-15 15:39

    Pre-Run: 50,348,929,024 bytes free
    Post-Run: 50,305,736,704 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 921C4A0587F1941413EFE9743D9B527B
  4. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Bump, I know you are busy. I just need to get his computer back this week before the holidays start here. Thanks again.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I know you want this handled. But I also want to make sure the second thread you started is not for the same computer. Let me know. Tell your friend that in this country, we also consider Saturday and Sunday, the weekend, a sort of holiday. As such, we volunteers may not be as active during those days as we choose to spend time in out 'other' life.
  6. msvaughan

    msvaughan Newcomer, in training Topic Starter

    I replied to you other, this PC and the other are two totally different machines.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm working on the script for this system tonight. I have them separated clearly (for me!) The Eset scan is clean. Mbam and GMER are clean.

    Have him update to Java v6u22 and uninstall the Outdated version: Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    ======================================
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    8 Steps Complete
    I am helping a friend out with his Laptop. Dell Latitude 131L
    http://www.techspot.com/vb/topic156610.html (this thread)

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11
    8 steps complete for desktop
    I thought my desktop was clean,
    http://www.techspot.com/vb/topic156673.html (your thread)
  8. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Bobbye,

    Thanks for all you work. I did install 6 22 Java and uninstalled all other lower versions.

    I have done that on both systems.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you ask him if any or all of these are required by his ISP?

    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
    uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local


    There is a part of Combofix missing> it will have an R or an S at the beginning of each entry followed by number 0-4. Those are for the Drivers and Services.
    =======================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    
    DDS::
    BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    
    Registry::
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ==========================================

    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  10. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Bobbye,

    I did not ask him if those are needed or belong to his ISP. He would not know what to ask or where.

    Do you want me to post the old log for drivers? I noticed that the touch pad does not scroll up and down now, so I am sure you need it.

    I did the script and here are the new logs.

    Please let me know if you want me to try and paste the old log or what i need to do about that now.

    ComboFix 10-11-14.04 - Dell Customer 11/17/2010 20:31:20.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1372 [GMT -5:00]
    Running from: c:\documents and settings\Dell Customer\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dell Customer\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    * Created a new restore point

    FILE ::
    "c:\windows\system32\drivers\hitmanpro35.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\hitman pro 3.5\HitmanPro35.exe
    c:\windows\system32\drivers\hitmanpro35.sys

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
    .

    2010-11-15 15:44 . 2010-11-15 15:43 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-11-15 15:44 . 2010-11-15 15:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-15 15:43 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A7EBBCDD-FD8B-4AF8-9E85-40BB1E8F071A}\mpengine.dll
    2010-11-15 14:42 . 2010-11-15 14:42 -------- d-----w- c:\program files\ESET
    2010-11-15 00:33 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-15 00:33 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-15 00:33 . 2010-11-15 00:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 17:50 . 2010-11-13 17:50 -------- d-----w- c:\program files\iPod
    2010-11-13 17:49 . 2010-11-13 17:51 -------- d-----w- c:\program files\iTunes
    2010-10-26 18:27 . 2010-10-26 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2010-10-25 15:21 . 2010-10-25 17:14 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-10-22 15:14 . 2010-10-22 15:14 -------- d-----w- c:\documents and settings\Dell Customer\Application Data\Malwarebytes
    2010-10-22 15:14 . 2010-10-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-15 15:43 . 2007-04-24 17:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-19 20:51 . 2010-09-28 23:01 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2010-09-30 08:48 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-10-04 10:22 . 2010-09-28 23:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-09-28 23:02 . 2010-09-28 23:27 6084944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2010-09-18 16:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2004-08-10 17:50 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-10 17:51 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-10 17:51 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-10 17:51 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 11:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2004-08-10 17:50 617472 ----a-w- c:\windows\system32\comctl32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2006-05-10 16:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-11-23 05:35 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE New Window Maximizer]
    2005-02-09 03:06 356352 ----a-w- c:\program files\IE New Window Maximizer\iemaximizer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-11 05:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-09-22 16:06 282624 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2006-09-22 18:28 761947 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-11-04 22:40 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:06 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-08 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

    2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:05]

    2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:05]

    2010-11-15 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
    uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\documents and settings\Dell Customer\Application Data\Mozilla\Firefox\Profiles\7s6eghe1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com
    FF - plugin: c:\documents and settings\Dell Customer\Application Data\Mozilla\Firefox\Profiles\7s6eghe1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-17 20:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(796)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1364)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\windows\system32\DLAAPI_W.DLL
    c:\windows\system32\CDRTC.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Essentials\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-17 20:43:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-18 01:43
    ComboFix2.txt 2010-11-15 15:39

    Pre-Run: 50,156,351,488 bytes free
    Post-Run: 50,152,439,808 bytes free

    - - End Of File - - 5D3ADA1611C7DD3DA5881C55B2DB422F

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:53:53 PM, on 11/17/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_22.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_22.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177373752500
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6774 bytes
  11. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Bobbye,

    The system seems to be running much slower now. Any recommendations?
     
  12. msvaughan

    msvaughan Newcomer, in training Topic Starter

    I posted my reply to this but I am not sure if it posted. Its not here.

    My friend would not know where to ask about those questions for his ISP. And I do not know the answers to your questions.

    Is there a way for me to find to old Combofix log now that i have run the new one?I noticed the touchpad doesn't fully work, it wont aloow you to scroll up and down using the touchpad now.

    The system seems to be running mcuh slower now, almost like its having conflicts or something. Any thoughts?

    Logs here:
    ComboFix 10-11-14.04 - Dell Customer 11/17/2010 20:31:20.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1372 [GMT -5:00]
    Running from: c:\documents and settings\Dell Customer\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Dell Customer\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    * Created a new restore point

    FILE ::
    "c:\windows\system32\drivers\hitmanpro35.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\hitman pro 3.5\HitmanPro35.exe
    c:\windows\system32\drivers\hitmanpro35.sys

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
    .

    2010-11-15 15:44 . 2010-11-15 15:43 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-11-15 15:44 . 2010-11-15 15:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-15 15:43 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A7EBBCDD-FD8B-4AF8-9E85-40BB1E8F071A}\mpengine.dll
    2010-11-15 14:42 . 2010-11-15 14:42 -------- d-----w- c:\program files\ESET
    2010-11-15 00:33 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-15 00:33 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-15 00:33 . 2010-11-15 00:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-13 17:50 . 2010-11-13 17:50 -------- d-----w- c:\program files\iPod
    2010-11-13 17:49 . 2010-11-13 17:51 -------- d-----w- c:\program files\iTunes
    2010-10-26 18:27 . 2010-10-26 18:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2010-10-25 15:21 . 2010-10-25 17:14 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-10-22 15:14 . 2010-10-22 15:14 -------- d-----w- c:\documents and settings\Dell Customer\Application Data\Malwarebytes
    2010-10-22 15:14 . 2010-10-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-15 15:43 . 2007-04-24 17:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-19 20:51 . 2010-09-28 23:01 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-07 23:21 . 2010-09-30 08:48 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-10-04 10:22 . 2010-09-28 23:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2010-09-28 23:02 . 2010-09-28 23:27 6084944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2010-09-18 16:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2004-08-10 17:51 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53 . 2004-08-10 17:51 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-09-01 11:51 . 2004-08-10 17:50 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42 . 2004-08-10 17:51 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57 . 2004-08-10 17:51 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 13:39 . 2004-08-10 17:51 357248 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-08-26 12:52 . 2009-04-15 11:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12 . 2004-08-10 17:50 617472 ----a-w- c:\windows\system32\comctl32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2006-05-10 16:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-11-23 05:35 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE New Window Maximizer]
    2005-02-09 03:06 356352 ----a-w- c:\program files\IE New Window Maximizer\iemaximizer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
    2006-07-07 23:15 600896 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-11-11 05:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    2006-09-22 16:06 282624 ----a-w- c:\windows\stsystra.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2006-09-22 18:28 761947 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
    2004-11-04 22:40 98394 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/30/2010 12:06 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-11-08 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]

    2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:05]

    2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 17:05]

    2010-11-15 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    uInternet Settings,ProxyServer = sas.se1.attbb.net:8000
    uInternet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
    Trusted Zone: intuit.com\ttlc
    FF - ProfilePath - c:\documents and settings\Dell Customer\Application Data\Mozilla\Firefox\Profiles\7s6eghe1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.hotmail.com
    FF - plugin: c:\documents and settings\Dell Customer\Application Data\Mozilla\Firefox\Profiles\7s6eghe1.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-17 20:38
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(796)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1364)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\windows\system32\DLAAPI_W.DLL
    c:\windows\system32\CDRTC.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Microsoft Security Essentials\MsMpEng.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-11-17 20:43:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-11-18 01:43
    ComboFix2.txt 2010-11-15 15:39

    Pre-Run: 50,156,351,488 bytes free
    Post-Run: 50,152,439,808 bytes free

    - - End Of File - - 5D3ADA1611C7DD3DA5881C55B2DB422F
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:53:53 PM, on 11/17/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=h6QDYRnkO80H61RJs72csOlpj2Q
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_22.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_22.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177373752500
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 6774 bytes
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    He either picks up the phone and calls the IDP or finds their site, looks for Support or Customer Service, sending an email to asks for a description of the setup they require. Malware can cause routing to bad port. Ask about the following:
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=...1RJs72csOlpj2Q>> Port 4664 is usually used for the Google Desktop Search
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000>> Port 8000 is commonly used for iRDMI (Intel Remote Desktop Management Interface)—sometimes erroneously used instead of port 8080 or Port 8000–8001 TCP is commonly used for internet radio streams such as those using SHOUTcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>;*.local

    Port help source: Wiki

    When SBC/Global/Yahoo/ATT. went their separate ways, their internet connections settings reflected which carrier they choose and/or what their location was. He just need to fins out which of these is right or if they're all right.

    For Touchpad: Control Panel> Mouse> Touchpad tab> Make adjustments there> Click on Apply> OK when through.

    The system can be slower due to the scanning programs and logs- they will be removed when clean. He can also take some processes off of Startup such as Office, iTunes< Quick Time and the printer.
  14. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Bobbye,

    I called Comcast his ISP and they do not use Internet Wizzard or Proxy server or Proxxy Override but because I am not him, they would not give me much else. And he is 73 years old, so he is not even going to know what to ask. I think we could delete them, do you think it will cause HUGE issues? I mean, I could walk it back through setting up Comcast if I need to.

    Its still hanging up loading some webpages, its not as fast as it was, but I will eait to see when we delete the programs.

    Thanks for your help and I will wait to hear your next steps.
  15. msvaughan

    msvaughan Newcomer, in training Topic Starter

    Bobbye,

    Can i go ahead and delete the programs and logs off his computer?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.