Solved 8 Steps help Please. Malware infecting me

[BigDaddyKLX]

Please help, I have followed the 8 steps, and have attached the logs here per the instructions.

I have some malware that is blocking windows update, and is redirecting me when clicking links on web searches.

Thank you very much for your help, I am in a jam!

Kevin

 

[Bobbye]

'Morning Kevin! We'll work on the malware, but first you need to trim your antivirus programs down. You are using two AV programs: AV: McAfee VirusScan and AV: Trend Micro AntiVirus. Multiple AV programs can make the system more vulnerable and also slow it down. Hre is a tool that can help: McAfee Removal

After you have removed one of these, please reboot the computer.

You should also update the Java to v6u21. Then remove the earlier versions in Add/Remove Programs as they are vulnerabilities to the system: Check this site .Java Updates

I would like to get more specific about the problem. Having trouble with getting Windows Update is an ongoing thing and there are various reasons. So Please tell me what happens when you try to update> is there an error message? For instance:

You may encounter temporary connection-related errors when you use Windows Update or Microsoft Update to install updates
These errors may occur caused by any of the following issues:

• Applications or processes that interfere with Internet communications
• Resource issues on your computer
• High Internet activity
• Recoverable database errors

See http://support.microsoft.com/kb/836941

As for the redirects:
Which browser? If more than one browser, which ones? Do you get sent to another site when you do a specific search, choose a hit from a search or type a URL in the Address Bar?

 

[BigDaddyKLX]

Thanks for the quick reply!

Okay, I ran the McAfee removal tool, and it was successful. Then rebooted.

Updated Java, and then had to remove v6u7. That was successful.

When I go to update, I get error message 0x80072EFF.

I tried to go to the update from Microsoft's web site directly. When I go to automatic updates on my PC, and click the link to windows update, the explorer just acts like I am disconnected from the internet and tells me to diagnose my connection problems.

I am using IE version 8 only.

I believe this started when my son clicked on an email link that said he won a 1000 best buy gift card. Since then the computer has been acting up.

The other thing that happened initially was that my windows firewall was down. I couldn't restart the serivice nor turn it back on. That was a week ago, and I turned off the computer for a week while on vacation.

The firewall is backup now though.

What is happening now, in addition to the windows update issue, is when doing a search on yahoo or google, I click on the links in the search results and am redirected to odd shopping sites.

For example when I found this message board in the search, simply clicking on the link takes me to shopcompareus .com If I right click and say open link in seperate tab, I can get to the actual link.

Thanks again for your help.

 

[BigDaddyKLX]

Update

I left the computer on a bit today, and the firewall went down again.

I could not turn it back on.

I didn't see how, I was away from the computer.

I shut down. Now I have rebooted and the firewall is backup.

This is not good.

 

[Bobbye]

For the present, we'll leave the Windows Updates out of the picture:

Download eSec-Info2.zipand save it to your Desktop.
You will need to extract the file.

• Right click on the zipped folder> click on Extract All...
• Click on Next In the 'Extraction Wizard'window that opens
• click on Next> and in the next window that appears
• click on Finish in the final window
  --------------------------------------
• To run, Double click on the folder Sec-info2.vbs
• When completed, a text file named Sec-Info.txtis created in the same folder
• Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

================================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
======================================
Please paste the logs into your next reply.

 

[BigDaddyKLX]

here is the sec info:

Script run: 7/26/2010 10:11:21 AM

~~~~~~~~~~~~~~~~~~~~~~~~

Company Name:
AV Name: Trend Micro AntiVirus
Version Number: 17.50.1647
On-Access Scanning Enabled: Yes
Product up-to-date: Yes

~~~~~~~~~~~~~~~~~~~~~~~~

The Windows Firewall is enabled.

~~~~~~~~~~~~~~~~~~~~~~~~

The Security Center Anti-Virus Alerts are enabled.
The Security Center Firewall Alerts are enabled.

~~~~~~~~~~~~~~~~~~~~~~~~

Number of Restore Points found: 77

~~~~~~~~~~~~~~~~~~~~~~~~

 

[BigDaddyKLX]

Here you go.
I think I clicked on it the first time, it hung up for 30 minutes. Hard shut down and then ran combo fix again, completed successfully.

ComboFix 10-07-24.06 - Owner 07/26/2010 10:54:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1311 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\service
c:\windows\system32\service\03032010_TIS17_SfFniAU.log
c:\windows\system32\service\05052010_TIS17_SfFniAU.log
c:\windows\system32\service\15022010_TIS17_SfFniAU.log
c:\windows\system32\service\25102009_TIS17_SfFniAU.log
c:\windows\system32\service\26112009_TIS17_SfFniAU.log
c:\windows\system32\service\29102009_TIS17_SfFniAU.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\Microsoft
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-07-25 17:25 . 2010-07-25 17:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-sse.dll
2010-07-25 17:25 . 2010-07-25 17:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcp71.dll
2010-07-25 17:25 . 2010-07-25 17:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\jmc.dll
2010-07-25 17:25 . 2010-07-25 17:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcr71.dll
2010-07-25 17:25 . 2010-07-25 17:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-d3d.dll
2010-07-25 17:25 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-25 09:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-25 09:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 04:58 . 2010-07-25 04:58 16256 ----a-w- c:\windows\system32\drivers\yxrurdkp.sys
2010-07-25 04:40 . 2010-07-25 04:59 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-25 04:33 . 2010-07-25 04:42 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-18 17:38 . 2010-07-18 17:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 17:34 . 2010-07-18 17:34 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-16 01:03 . 2010-07-16 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-14 04:55 . 2010-07-14 04:55 -------- d-----w- c:\program files\iPod
2010-07-14 04:47 . 2010-07-14 04:47 -------- d-----w- c:\program files\Bonjour
2010-07-14 04:44 . 2010-07-14 04:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 17:29 . 2006-02-24 10:47 -------- d-----w- c:\program files\Java
2010-07-25 17:26 . 2006-02-24 10:47 -------- d-----w- c:\program files\Common Files\Java
2010-07-25 04:09 . 2008-12-02 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 17:35 . 2008-12-02 06:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-16 16:21 . 2008-06-23 22:31 -------- d-----w- c:\program files\Coupons
2010-07-16 01:03 . 2006-08-14 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 04:56 . 2009-08-09 17:26 -------- d-----w- c:\program files\iTunes
2010-07-14 04:55 . 2008-03-13 02:54 -------- d-----w- c:\program files\Common Files\Apple
2010-06-23 17:39 . 2010-06-23 17:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb31F.tmp.exe
2010-06-15 02:00 . 2008-07-15 02:23 -------- d-----w- c:\program files\Safari
2010-06-15 01:56 . 2010-06-15 01:56 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-03 05:20 . 2006-11-10 15:09 12130 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2005-01-09 23:48 1851264 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"showwnd"="showwnd.exe" [2003-09-19 36864]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
"nwiz"="nwiz.exe" [2005-07-09 1519616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"NBCUniversal Media Manager Tray"="c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2006-09-07 372736]
"ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"EntriqMediaTray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2006-05-01 122880]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="mHotkey.exe" [2004-12-09 550912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2004-8-10 17408]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaFrame Password Manager Agent Background Process.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MetaFrame Password Manager Agent Background Process.lnk
backup=c:\windows\pss\MetaFrame Password Manager Agent Background Process.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:*isabled:Remote Media Center Experience

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/25/2009 3:48 PM 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/16/2006 4:33 PM 18864]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/25/2009 3:55 PM 50704]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/25/2009 3:55 PM 689416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 11:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\Citrix\MetaFrame Password Manager\SSOGina\SSOGina.DLL
c:\program files\Citrix\MetaFrame Password Manager\Plugin\EventMgr\EventReporter.dll
c:\program files\Citrix\MetaFrame Password Manager\resource.dll
.
Completion time: 2010-07-26 11:02:37
ComboFix-quarantined-files.txt 2010-07-26 18:02

Pre-Run: 154,805,125,120 bytes free
Post-Run: 154,881,015,808 bytes free

- - End Of File - - 819E4DEFE26E5556DBEC8507C59A0A19

 

[BigDaddyKLX]

When I am trying to shut down now, it is asking me to install updates??? I am shutting down and saying no for now.

 

[BigDaddyKLX]

I just clicked the windows update link on the internet explorer, it works now too. I have not actually initiated any updates yet though. Looks like something was fixed?

 

[Bobbye]

You are a smart person! I know it's a nuisance and an inconvenience, but since updates have been known to cause problems at times, it is better to wait until we have finished.

You need to submit a file for identification:
Suspicious file(s) to scan: > browse or upload.

c:\windows\system32\drivers\yxrurdkp.sys

Submit to any of the followingonly 1 is needed)

http://www.virustotal.com/

http://virusscan.jotti.org/en

http://www.virscan.org/

Paste log in next reply.

 

[BigDaddyKLX]

File yxrurdkp.sys received on 2010.07.27 03:43:03 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/42 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


Antivirus Version Last Update Result
AhnLab-V3 2010.07.27.00 2010.07.26 -
AntiVir 8.2.4.26 2010.07.26 -
Antiy-AVL 2.0.3.7 2010.07.26 -
Authentium 5.2.0.5 2010.07.27 -
Avast 4.8.1351.0 2010.07.26 -
Avast5 5.0.332.0 2010.07.26 -
AVG 9.0.0.851 2010.07.26 -
BitDefender 7.2 2010.07.27 -
CAT-QuickHeal 11.00 2010.07.26 -
ClamAV 0.96.0.3-git 2010.07.27 -
Comodo 5551 2010.07.27 -
DrWeb 5.0.2.03300 2010.07.27 -
Emsisoft 5.0.0.34 2010.07.27 -
eSafe 7.0.17.0 2010.07.26 -
eTrust-Vet 36.1.7738 2010.07.26 -
F-Prot 4.6.1.107 2010.07.27 -
F-Secure 9.0.15370.0 2010.07.26 -
Fortinet 4.1.143.0 2010.07.24 -
GData 21 2010.07.27 -
Ikarus T3.1.1.84.0 2010.07.27 -
Jiangmin 13.0.900 2010.07.26 -
Kaspersky 7.0.0.125 2010.07.27 -
McAfee 5.400.0.1158 2010.07.27 -
McAfee-GW-Edition 2010.1 2010.07.27 -
Microsoft 1.6004 2010.07.26 -
NOD32 5315 2010.07.26 -
Norman 6.05.11 2010.07.26 -
nProtect 2010-07-26.02 2010.07.26 -
Panda 10.0.2.7 2010.07.26 -
PCTools 7.0.3.5 2010.07.27 -
Prevx 3.0 2010.07.27 -
Rising 22.58.01.01 2010.07.27 -
Sophos 4.55.0 2010.07.27 -
Sunbelt 6646 2010.07.27 -
SUPERAntiSpyware 4.40.0.1006 2010.07.27 -
Symantec 20101.1.1.7 2010.07.27 -
TheHacker 6.5.2.1.326 2010.07.27 -
TrendMicro 9.120.0.1004 2010.07.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
VBA32 3.12.12.6 2010.07.26 -
ViRobot 2010.7.26.3960 2010.07.26 -
VirusBuster 5.0.27.0 2010.07.26 -
Additional information
File size: 16256 bytes
MD5...: 1ff3217614018630d0a6758630fc698c
SHA1..: 09f6023b965069572c2d8f40df323cca2efb9143
SHA256: 78a3075bbff5d7adeac1527e65aca8527bfc509df124d44410bb46c4d96c96bb
ssdeep: 384:lz/UYwUp2PQ2LsxvDdd/KeOtIrXXJ69O3jZKonFA4yhXW:lzRhpOcxv7KDGZ
IOT3nFbQ

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2ff8
timedatestamp.....: 0x3a311d2b (Fri Dec 08 17:40:59 2000)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2c0 0x2df2 0x2e00 6.38 10228dda4a61b3490fac6f5562961c90
.rdata 0x30c0 0xd2 0xe0 4.06 5846b722253d03066e5aa486b82ecf74
.data 0x31a0 0x58b 0x5a0 3.10 6fdbba5ae45ccdfbc09409456f939041
INIT 0x3740 0x242 0x260 4.58 2cc1de2426414b82a40c8c9d036167e3
.rsrc 0x39a0 0x428 0x440 3.37 fff69297d195c8fb8803f2f19ffa51f4
.reloc 0x3de0 0x190 0x1a0 5.59 04df78fd3447a40d9aac562b113b9531

( 1 imports )
> SCSIPORT.SYS: ScsiPortWriteRegisterUlong, ScsiPortStallExecution, ScsiPortReadRegisterUchar, ScsiPortWriteRegisterUchar, ScsiPortGetPhysicalAddress, ScsiPortMoveMemory, ScsiPortNotification, ScsiPortGetLogicalUnit, ScsiPortFreeDeviceBase, ScsiPortGetDeviceBase, ScsiPortConvertUlongToPhysicalAddress, ScsiPortCompleteRequest, ScsiPortLogError, ScsiPortReadRegisterUlong, ScsiPortGetSrb, ScsiPortGetUncachedExtension, ScsiPortInitialize

( 0 exports )

RDS...: NSRL Reference Data Set
-
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
pdfid.: -
sigcheck:
publisher....: Symbios Logic Inc.
copyright....: Copyright (c) Symbios Logic Inc. 1992-1998
product......: Microsoft(R) Windows (R) 2000 Operating System
description..: Symbios Logic Inc. SCSI Miniport Driver
original name: SYMC810.SYS
internal name: DULUTH-4.00.01
file version.: 5.1.2409.1 (ReleaseBinaries.001205-1804)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

 

[Bobbye]

Well that's different! Never seen a file scan go like that before. Give it a try on one of the other sites. If you don't get a report, I'll move it anyway.

 

[BigDaddyKLX]

Sorry, I was out of town for work last week.

Here is a different scan of that file...

Filename: yxrurdkp.sys
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Sun 1 Aug 2010 06:44:37 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 16256 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 1ff3217614018630d0a6758630fc698c
SHA1: 09f6023b965069572c2d8f40df323cca2efb9143







Scanners
2010-08-01 Found nothing 2010-08-01 Found nothing
2010-07-31 Found nothing 2010-08-01 Found nothing
2010-07-31 Found nothing 2010-07-31 Found nothing
2010-07-30 Found nothing 2010-07-31 Found nothing
2010-08-01 Found nothing 2010-07-31 Found nothing
2010-08-01 Found nothing 2010-07-30 Found nothing
2010-08-01 Found nothing 2010-07-31 Found nothing
2010-08-01 Found nothing 2010-07-30 Found nothing
2010-07-31 Found nothing 2010-07-31 Found nothing
2010-07-31 Found nothing

 

[Bobbye]

Okay then, let's go on:

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\yxrurdkp.sys
Folder::
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"=-
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Check for driver update for this Citrix Access Gateway client (VPN) if you are still using it.

I recommend you uninstall the following:
2008-06-23 22:31 > c:\program files\Coupons
These kinds of sites always include adware and some also send spyware.

This deletion in Combofix, D:\Autorun.inf indicates the possibility of an infected flash drive. If you have been using one, it should be disinfected. Let me know and I'll give you instructions.
================================

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

======================
Choose v2.0.4:
Download the HijackThis Installer HERE and save to the desktop:

1. Double-lick on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Are there any remaining problems? IF these logs come back clean, I'll have you remove the cleaning tools.

 

[BigDaddyKLX]

Here is the combofix log.

I haven't been using a flash drive for a while, but I do have one. Should I disinfect it?

I will continue with the other steps...


ComboFix 10-07-24.06 - Owner 08/01/2010 11:39:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1391 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\CFScript.txt
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\windows\system32\drivers\yxrurdkp.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\yxrurdkp.sys
c:\windows\system32\service
c:\windows\system32\service\01082010_TIS17_SfFniAU.log

.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-08-01 18:36 . 2010-08-01 18:36 -------- d-----w- c:\windows\LastGood
2010-08-01 04:41 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\Microsoft
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-07-25 17:25 . 2010-07-25 17:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-sse.dll
2010-07-25 17:25 . 2010-07-25 17:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcp71.dll
2010-07-25 17:25 . 2010-07-25 17:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\jmc.dll
2010-07-25 17:25 . 2010-07-25 17:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcr71.dll
2010-07-25 17:25 . 2010-07-25 17:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-d3d.dll
2010-07-25 17:25 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-25 09:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-25 09:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 04:40 . 2010-07-25 04:59 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-25 04:33 . 2010-07-25 04:42 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-18 17:38 . 2010-07-18 17:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 17:34 . 2010-07-18 17:34 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-16 01:03 . 2010-07-16 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-14 04:55 . 2010-07-14 04:55 -------- d-----w- c:\program files\iPod
2010-07-14 04:47 . 2010-07-14 04:47 -------- d-----w- c:\program files\Bonjour
2010-07-14 04:44 . 2010-07-14 04:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 17:29 . 2006-02-24 10:47 -------- d-----w- c:\program files\Java
2010-07-25 17:26 . 2006-02-24 10:47 -------- d-----w- c:\program files\Common Files\Java
2010-07-25 04:09 . 2008-12-02 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 17:35 . 2008-12-02 06:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-16 16:21 . 2008-06-23 22:31 -------- d-----w- c:\program files\Coupons
2010-07-16 01:03 . 2006-08-14 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 04:56 . 2009-08-09 17:26 -------- d-----w- c:\program files\iTunes
2010-07-14 04:55 . 2008-03-13 02:54 -------- d-----w- c:\program files\Common Files\Apple
2010-06-23 17:39 . 2010-06-23 17:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb31F.tmp.exe
2010-06-15 02:00 . 2008-07-15 02:23 -------- d-----w- c:\program files\Safari
2010-06-15 01:56 . 2010-06-15 01:56 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2005-01-10 01:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-03 05:20 . 2006-11-10 15:09 12130 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-26_18.00.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-01 18:29 . 2010-08-01 18:29 16384 c:\windows\Temp\Perflib_Perfdata_420.dat
+ 2010-08-01 18:29 . 2010-08-01 18:29 16384 c:\windows\Temp\Perflib_Perfdata_198.dat
- 2006-02-24 10:42 . 2010-06-10 06:16 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-08-01 18:37 . 2010-08-01 18:37 200192 c:\windows\Installer\591ec.msi
- 2006-02-24 10:42 . 2010-06-10 06:16 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-05-25 18:45 . 2010-05-25 18:45 8445440 c:\windows\Installer\591ff.msp
+ 2010-07-01 05:52 . 2010-07-01 05:52 5522944 c:\windows\Installer\591c9.msp
+ 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
- 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"showwnd"="showwnd.exe" [2003-09-19 36864]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
"nwiz"="nwiz.exe" [2005-07-09 1519616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"NBCUniversal Media Manager Tray"="c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2006-09-07 372736]
"ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"EntriqMediaTray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2006-05-01 122880]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="mHotkey.exe" [2004-12-09 550912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2004-8-10 17408]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaFrame Password Manager Agent Background Process.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MetaFrame Password Manager Agent Background Process.lnk
backup=c:\windows\pss\MetaFrame Password Manager Agent Background Process.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:*isabled:Remote Media Center Experience

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/25/2009 3:48 PM 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/16/2006 4:33 PM 18864]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/25/2009 3:55 PM 50704]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/25/2009 3:55 PM 689416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SEAPORT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 11:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\Citrix\MetaFrame Password Manager\SSOGina\SSOGina.DLL
c:\program files\Citrix\MetaFrame Password Manager\Plugin\EventMgr\EventReporter.dll
c:\program files\Citrix\MetaFrame Password Manager\resource.dll
.
Completion time: 2010-08-01 11:46:18
ComboFix-quarantined-files.txt 2010-08-01 18:46
ComboFix2.txt 2010-07-26 18:02

Pre-Run: 154,173,030,400 bytes free
Post-Run: 154,183,798,784 bytes free

- - End Of File - - 5EC34D72010B0CA70BFC2E22890E64BD

 

[BigDaddyKLX]

ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=5485fe52b9098e4bb1a7791a3157bb67
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-01 07:57:59
# local_time=2010-08-01 12:57:59 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 24091545 24091545 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=138977
# found=2
# cleaned=0
# scan_time=3398
C:\Qoobox\32788R22FWJFW\symc810.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
C:\WINDOWS\dbplugin.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I

 

[BigDaddyKLX]

Uninstalled the Citrix and the Coupons.

 

[BigDaddyKLX]

Hi Jack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:05:32 PM, on 8/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\CNYHKey.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [showwnd] showwnd.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EntriqMediaTray] "C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235945226479
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} (NBCUniversal Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 14560 bytes

 

[Bobbye]

If you look at the top of the second Combofix log, you will see:- REDUCED FUNCTIONALITY MODE. It's an anti-piracy feature that usually appears when a program or OS hasn't been correctly activatated or validated, or if there is an attempt to tamper with or hack the system. The user is not allowed the full features. It does not appear in the first Combofix log which is puzzling and is more common in Vista or Windows Server. MS Office can bring this on, but you don't have that program installed.
========================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  :Files  
  C:\WINDOWS\dbplugin.ocx 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Please reopen Hijackthis to 'do system scan only.' Check each of the following, if present:

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')

Close all Windows except HijackThis and click on "Fix Checked."

 

[BigDaddyKLX]

When I opened combofix it said something about trial version expiring. Maybe because it took me a few days to get back to it?

Here is teh OTM log:
All processes killed
========== PROCESSES ==========
========== FILES ==========
C:\WINDOWS\dbplugin.ocx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 16786 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 4992 bytes

User: MCX1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 7465 bytes

User: Owner
->Temp folder emptied: 541742 bytes
->Temporary Internet Files folder emptied: 14483065 bytes
->Java cache emptied: 2023 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 754 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 14.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08022010_210531

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF1221.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF135E.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF8D5.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DF94C.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFF4F.tmp not found!
File C:\Documents and Settings\Owner\Local Settings\Temp\~DFFC2.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L6946P6E\ads[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L6946P6E\topic150582[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2IAF45LB\ads[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2IAF45LB\sh21[1].html moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_b9c.dat not found!

Registry entries deleted on Reboot...

 

[BigDaddyKLX]

Ran HI Jack This and fixed those items. They don't show up when I hit system scan again.

 

[Bobbye]

You need to address this:

If you look at the top of the second Combofix log, you will see:- REDUCED FUNCTIONALITY MODE. It's an anti-piracy feature that usually appears when a program or OS hasn't been correctly activatated or validated, or if there is an attempt to tamper with or hack the system. The user is not allowed the full features. It does not appear in the first Combofix log which is puzzling and is more common in Vista or Windows Server. MS Office can bring this on, but you don't have that program installed.

 

[BigDaddyKLX]

Okay, I don't know how, but here is what I did.

I double clicked on combofix without the virus software on, it asked to update, and I said yes, last time I said no, that is the difference. I dragged the script in and it worked without going into reduced functionality mode.

Here is the log..

ComboFix 10-08-03.02 - Owner 08/03/2010 22:37:12.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1391 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FILE ::
"c:\windows\system32\drivers\yxrurdkp.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\service
c:\windows\system32\service\03082010_TIS17_SfFniAU.log

.
((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-03 04:05 . 2010-08-03 04:05 -------- d-----w- C:\_OTM
2010-08-01 20:04 . 2010-08-01 20:04 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-01 18:55 . 2010-08-01 18:55 -------- d-----w- c:\program files\ESET
2010-08-01 04:41 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\Microsoft
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar
2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-07-25 17:25 . 2010-07-25 17:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-sse.dll
2010-07-25 17:25 . 2010-07-25 17:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcp71.dll
2010-07-25 17:25 . 2010-07-25 17:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\jmc.dll
2010-07-25 17:25 . 2010-07-25 17:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcr71.dll
2010-07-25 17:25 . 2010-07-25 17:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-d3d.dll
2010-07-25 17:25 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-25 09:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-25 09:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-25 04:40 . 2010-07-25 04:59 -------- d-----w- c:\windows\system32\MpEngineStore
2010-07-25 04:33 . 2010-07-25 04:42 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-18 17:38 . 2010-07-18 17:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-18 17:34 . 2010-07-18 17:34 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-16 01:03 . 2010-07-16 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-14 04:55 . 2010-07-14 04:55 -------- d-----w- c:\program files\iPod
2010-07-14 04:47 . 2010-07-14 04:47 -------- d-----w- c:\program files\Bonjour
2010-07-14 04:44 . 2010-07-14 04:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 20:04 . 2006-07-16 23:16 -------- d-----w- c:\program files\Trend Micro
2010-08-01 20:03 . 2006-07-17 00:38 -------- d-----w- c:\documents and settings\Owner\Application Data\ICAClient
2010-07-25 17:29 . 2006-02-24 10:47 -------- d-----w- c:\program files\Java
2010-07-25 17:26 . 2006-02-24 10:47 -------- d-----w- c:\program files\Common Files\Java
2010-07-25 04:09 . 2008-12-02 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-18 17:35 . 2008-12-02 06:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-16 01:03 . 2006-08-14 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 04:56 . 2009-08-09 17:26 -------- d-----w- c:\program files\iTunes
2010-07-14 04:55 . 2008-03-13 02:54 -------- d-----w- c:\program files\Common Files\Apple
2010-06-23 17:39 . 2010-06-23 17:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb31F.tmp.exe
2010-06-15 02:00 . 2008-07-15 02:23 -------- d-----w- c:\program files\Safari
2010-06-15 01:56 . 2010-06-15 01:56 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-14 14:31 . 2005-01-10 01:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-03 05:20 . 2006-11-10 15:09 12130 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-26_18.00.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-04 05:31 . 2010-08-04 05:31 16384 c:\windows\Temp\Perflib_Perfdata_c14.dat
+ 2010-08-04 05:31 . 2010-08-04 05:31 16384 c:\windows\Temp\Perflib_Perfdata_9f4.dat
+ 2006-02-24 10:42 . 2010-08-01 18:38 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2010-08-01 18:37 . 2010-08-01 18:37 200192 c:\windows\Installer\591ec.msi
+ 2006-02-24 10:42 . 2010-08-01 18:38 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-24 10:42 . 2010-08-01 18:38 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-02-24 10:42 . 2010-06-10 06:16 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-05-25 18:45 . 2010-05-25 18:45 8445440 c:\windows\Installer\591ff.msp
+ 2010-07-01 05:52 . 2010-07-01 05:52 5522944 c:\windows\Installer\591c9.msp
+ 2010-08-01 20:04 . 2010-08-01 20:04 1094656 c:\windows\Installer\560d86.msi
+ 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
- 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"showwnd"="showwnd.exe" [2003-09-19 36864]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
"nwiz"="nwiz.exe" [2005-07-09 1519616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
"NBCUniversal Media Manager Tray"="c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2006-09-07 372736]
"ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"EntriqMediaTray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2006-05-01 122880]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"CHotkey"="mHotkey.exe" [2004-12-09 550912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2004-8-10 17408]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaFrame Password Manager Agent Background Process.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MetaFrame Password Manager Agent Background Process.lnk
backup=c:\windows\pss\MetaFrame Password Manager Agent Background Process.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:*isabled:Remote Media Center Experience

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/25/2009 3:48 PM 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/16/2006 4:33 PM 18864]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/25/2009 3:55 PM 50704]
S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/25/2009 3:55 PM 689416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 22:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-08-03 22:45:48
ComboFix-quarantined-files.txt 2010-08-04 05:45
ComboFix2.txt 2010-08-01 18:46
ComboFix3.txt 2010-07-26 18:02

Pre-Run: 153,211,957,248 bytes free
Post-Run: 153,198,661,632 bytes free

- - End Of File - - 84E4B93E749C8279A78B980E516E79F9

 

[Bobbye]

Okay, tell me how the system is doing: Is firewall staying up? Have redirects stopped? The only thing I see in the Combofix log is a driver/Service for Citrix which is questioned. If you are still using\this, check the home site for a possible driver update. If you are no longer using it, uninstall.

Click on Start> Run> type in services.msc> Double click on Net6 > for Startup type: There a 3 Startup Type settings:
Set on Automatic if it needs to start on boot
Set to Manual if it is user invoked and only need to run when you request it.
Set to Disabled if you don't use it

This is related to net6im51.sys Secure Access Driver from Citrix Systems, Inc.

Let me know.

 

[BigDaddyKLX]

The redirects have stopped. I haven't tested it too much while we have been working on the machine. I pretty much would turn it on to do our fixes and then shut it off, I will test it tonight.

I have not seen the firewall go down recently, but again I haven't left the computer on. The last time the firewall would go down after leaving the computer on for a few hours. I will test that tonight too.

It is allowing me to go to the Windows update site now, and the automatic updates are downloading, although I haven't installed them yet.

I noticed that now it takes a little longer for the trend micro antivirus to load on startup. Long enough for the windows shield to pop up with a warning, but then it goes off. Takes a solid 1-2 minutes on strartup to get that going.

On a few of those scans there were viruses/trojans identified or flagged that I did not click fix on, what do I do for those?