8 Steps help Please. Malware infecting me

Solved
By BigDaddyKLX
Jul 25, 2010
Topic Status:
Not open for further replies.
  1. Please help, I have followed the 8 steps, and have attached the logs here per the instructions.

    I have some malware that is blocking windows update, and is redirecting me when clicking links on web searches.

    Thank you very much for your help, I am in a jam!

    Kevin

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    'Morning Kevin! We'll work on the malware, but first you need to trim your antivirus programs down. You are using two AV programs: AV: McAfee VirusScan and AV: Trend Micro AntiVirus. Multiple AV programs can make the system more vulnerable and also slow it down. Hre is a tool that can help: McAfee Removal

    After you have removed one of these, please reboot the computer.

    You should also update the Java to v6u21. Then remove the earlier versions in Add/Remove Programs as they are vulnerabilities to the system: Check this site .Java Updates

    I would like to get more specific about the problem. Having trouble with getting Windows Update is an ongoing thing and there are various reasons. So Please tell me what happens when you try to update> is there an error message? For instance:

    You may encounter temporary connection-related errors when you use Windows Update or Microsoft Update to install updates
    These errors may occur caused by any of the following issues:
    • Applications or processes that interfere with Internet communications
    • Resource issues on your computer
    • High Internet activity
    • Recoverable database errors
    See http://support.microsoft.com/kb/836941

    As for the redirects:
    Which browser? If more than one browser, which ones? Do you get sent to another site when you do a specific search, choose a hit from a search or type a URL in the Address Bar?
  3. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Thanks for the quick reply!

    Okay, I ran the McAfee removal tool, and it was successful. Then rebooted.

    Updated Java, and then had to remove v6u7. That was successful.

    When I go to update, I get error message 0x80072EFF.

    I tried to go to the update from Microsoft's web site directly. When I go to automatic updates on my PC, and click the link to windows update, the explorer just acts like I am disconnected from the internet and tells me to diagnose my connection problems.

    I am using IE version 8 only.

    I believe this started when my son clicked on an email link that said he won a 1000 best buy gift card. Since then the computer has been acting up.

    The other thing that happened initially was that my windows firewall was down. I couldn't restart the serivice nor turn it back on. That was a week ago, and I turned off the computer for a week while on vacation.

    The firewall is backup now though.

    What is happening now, in addition to the windows update issue, is when doing a search on yahoo or google, I click on the links in the search results and am redirected to odd shopping sites.

    For example when I found this message board in the search, simply clicking on the link takes me to shopcompareus .com If I right click and say open link in seperate tab, I can get to the actual link.

    Thanks again for your help.
  4. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Update

    I left the computer on a bit today, and the firewall went down again.

    I could not turn it back on.

    I didn't see how, I was away from the computer.

    I shut down. Now I have rebooted and the firewall is backup.

    This is not good.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    For the present, we'll leave the Windows Updates out of the picture:

    Download eSec-Info2.zipand save it to your Desktop.
    You will need to extract the file.
    • Right click on the zipped folder> click on Extract All...
    • Click on Next In the 'Extraction Wizard'window that opens
    • click on Next> and in the next window that appears
    • click on Finish in the final window
      --------------------------------------
    • To run, Double click on the folder Sec-info2.vbs
    • When completed, a text file named Sec-Info.txtis created in the same folder
    • Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.
    ================================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    ======================================
    Please paste the logs into your next reply.
  6. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    here is the sec info:

    Script run: 7/26/2010 10:11:21 AM

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Company Name:
    AV Name: Trend Micro AntiVirus
    Version Number: 17.50.1647
    On-Access Scanning Enabled: Yes
    Product up-to-date: Yes

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Windows Firewall is enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    The Security Center Anti-Virus Alerts are enabled.
    The Security Center Firewall Alerts are enabled.

    ~~~~~~~~~~~~~~~~~~~~~~~~

    Number of Restore Points found: 77

    ~~~~~~~~~~~~~~~~~~~~~~~~
  7. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Here you go.
    I think I clicked on it the first time, it hung up for 30 minutes. Hard shut down and then ran combo fix again, completed successfully.

    ComboFix 10-07-24.06 - Owner 07/26/2010 10:54:00.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1311 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\service
    c:\windows\system32\service\03032010_TIS17_SfFniAU.log
    c:\windows\system32\service\05052010_TIS17_SfFniAU.log
    c:\windows\system32\service\15022010_TIS17_SfFniAU.log
    c:\windows\system32\service\25102009_TIS17_SfFniAU.log
    c:\windows\system32\service\26112009_TIS17_SfFniAU.log
    c:\windows\system32\service\29102009_TIS17_SfFniAU.log
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
    .

    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\Microsoft
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar Installer
    2010-07-25 17:25 . 2010-07-25 17:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-sse.dll
    2010-07-25 17:25 . 2010-07-25 17:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcp71.dll
    2010-07-25 17:25 . 2010-07-25 17:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\jmc.dll
    2010-07-25 17:25 . 2010-07-25 17:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcr71.dll
    2010-07-25 17:25 . 2010-07-25 17:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-d3d.dll
    2010-07-25 17:25 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-07-25 09:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-25 09:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-25 04:58 . 2010-07-25 04:58 16256 ----a-w- c:\windows\system32\drivers\yxrurdkp.sys
    2010-07-25 04:40 . 2010-07-25 04:59 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-07-25 04:33 . 2010-07-25 04:42 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-07-18 17:38 . 2010-07-18 17:39 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-18 17:34 . 2010-07-18 17:34 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-16 01:03 . 2010-07-16 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-14 04:55 . 2010-07-14 04:55 -------- d-----w- c:\program files\iPod
    2010-07-14 04:47 . 2010-07-14 04:47 -------- d-----w- c:\program files\Bonjour
    2010-07-14 04:44 . 2010-07-14 04:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-25 17:29 . 2006-02-24 10:47 -------- d-----w- c:\program files\Java
    2010-07-25 17:26 . 2006-02-24 10:47 -------- d-----w- c:\program files\Common Files\Java
    2010-07-25 04:09 . 2008-12-02 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-18 17:35 . 2008-12-02 06:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-07-16 16:21 . 2008-06-23 22:31 -------- d-----w- c:\program files\Coupons
    2010-07-16 01:03 . 2006-08-14 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-14 04:56 . 2009-08-09 17:26 -------- d-----w- c:\program files\iTunes
    2010-07-14 04:55 . 2008-03-13 02:54 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-23 17:39 . 2010-06-23 17:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb31F.tmp.exe
    2010-06-15 02:00 . 2008-07-15 02:23 -------- d-----w- c:\program files\Safari
    2010-06-15 01:56 . 2010-06-15 01:56 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-03 05:20 . 2006-11-10 15:09 12130 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
    2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-06 10:41 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2005-01-09 23:48 1851264 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
    "showwnd"="showwnd.exe" [2003-09-19 36864]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
    "QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
    "nwiz"="nwiz.exe" [2005-07-09 1519616]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
    "NBCUniversal Media Manager Tray"="c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2006-09-07 372736]
    "ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
    "HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "EntriqMediaTray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2006-05-01 122880]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "CHotkey"="mHotkey.exe" [2004-12-09 550912]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2004-8-10 17408]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaFrame Password Manager Agent Background Process.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MetaFrame Password Manager Agent Background Process.lnk
    backup=c:\windows\pss\MetaFrame Password Manager Agent Background Process.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3776:UDP"= 3776:UDP:Media Center Extender Service
    "3390:TCP"= 3390:TCP:*:Disabled:Remote Media Center Experience

    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/25/2009 3:48 PM 36368]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/16/2006 4:33 PM 18864]
    S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
    S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/25/2009 3:55 PM 50704]
    S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/25/2009 3:55 PM 689416]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
    DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-26 11:00
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll 53248 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(760)
    c:\program files\Citrix\MetaFrame Password Manager\SSOGina\SSOGina.DLL
    c:\program files\Citrix\MetaFrame Password Manager\Plugin\EventMgr\EventReporter.dll
    c:\program files\Citrix\MetaFrame Password Manager\resource.dll
    .
    Completion time: 2010-07-26 11:02:37
    ComboFix-quarantined-files.txt 2010-07-26 18:02

    Pre-Run: 154,805,125,120 bytes free
    Post-Run: 154,881,015,808 bytes free

    - - End Of File - - 819E4DEFE26E5556DBEC8507C59A0A19
  8. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    When I am trying to shut down now, it is asking me to install updates??? I am shutting down and saying no for now.
  9. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    I just clicked the windows update link on the internet explorer, it works now too. I have not actually initiated any updates yet though. Looks like something was fixed?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You are a smart person! I know it's a nuisance and an inconvenience, but since updates have been known to cause problems at times, it is better to wait until we have finished.

    You need to submit a file for identification:
    Suspicious file(s) to scan: > browse or upload.

    c:\windows\system32\drivers\yxrurdkp.sys

    Submit to any of the following:(only 1 is needed)

    http://www.virustotal.com/

    http://virusscan.jotti.org/en

    http://www.virscan.org/

    Paste log in next reply.
  11. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    File yxrurdkp.sys received on 2010.07.27 03:43:03 (UTC)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 0/42 (0%)
    Loading server information...
    Your file is queued in position: 1.
    Estimated start time is between 43 and 62 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2010.07.27.00 2010.07.26 -
    AntiVir 8.2.4.26 2010.07.26 -
    Antiy-AVL 2.0.3.7 2010.07.26 -
    Authentium 5.2.0.5 2010.07.27 -
    Avast 4.8.1351.0 2010.07.26 -
    Avast5 5.0.332.0 2010.07.26 -
    AVG 9.0.0.851 2010.07.26 -
    BitDefender 7.2 2010.07.27 -
    CAT-QuickHeal 11.00 2010.07.26 -
    ClamAV 0.96.0.3-git 2010.07.27 -
    Comodo 5551 2010.07.27 -
    DrWeb 5.0.2.03300 2010.07.27 -
    Emsisoft 5.0.0.34 2010.07.27 -
    eSafe 7.0.17.0 2010.07.26 -
    eTrust-Vet 36.1.7738 2010.07.26 -
    F-Prot 4.6.1.107 2010.07.27 -
    F-Secure 9.0.15370.0 2010.07.26 -
    Fortinet 4.1.143.0 2010.07.24 -
    GData 21 2010.07.27 -
    Ikarus T3.1.1.84.0 2010.07.27 -
    Jiangmin 13.0.900 2010.07.26 -
    Kaspersky 7.0.0.125 2010.07.27 -
    McAfee 5.400.0.1158 2010.07.27 -
    McAfee-GW-Edition 2010.1 2010.07.27 -
    Microsoft 1.6004 2010.07.26 -
    NOD32 5315 2010.07.26 -
    Norman 6.05.11 2010.07.26 -
    nProtect 2010-07-26.02 2010.07.26 -
    Panda 10.0.2.7 2010.07.26 -
    PCTools 7.0.3.5 2010.07.27 -
    Prevx 3.0 2010.07.27 -
    Rising 22.58.01.01 2010.07.27 -
    Sophos 4.55.0 2010.07.27 -
    Sunbelt 6646 2010.07.27 -
    SUPERAntiSpyware 4.40.0.1006 2010.07.27 -
    Symantec 20101.1.1.7 2010.07.27 -
    TheHacker 6.5.2.1.326 2010.07.27 -
    TrendMicro 9.120.0.1004 2010.07.27 -
    TrendMicro-HouseCall 9.120.0.1004 2010.07.27 -
    VBA32 3.12.12.6 2010.07.26 -
    ViRobot 2010.7.26.3960 2010.07.26 -
    VirusBuster 5.0.27.0 2010.07.26 -
    Additional information
    File size: 16256 bytes
    MD5...: 1ff3217614018630d0a6758630fc698c
    SHA1..: 09f6023b965069572c2d8f40df323cca2efb9143
    SHA256: 78a3075bbff5d7adeac1527e65aca8527bfc509df124d44410bb46c4d96c96bb
    ssdeep: 384:lz/UYwUp2PQ2LsxvDdd/KeOtIrXXJ69O3jZKonFA4yhXW:lzRhpOcxv7KDGZ
    IOT3nFbQ

    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x2ff8
    timedatestamp.....: 0x3a311d2b (Fri Dec 08 17:40:59 2000)
    machinetype.......: 0x14c (I386)

    ( 6 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x2c0 0x2df2 0x2e00 6.38 10228dda4a61b3490fac6f5562961c90
    .rdata 0x30c0 0xd2 0xe0 4.06 5846b722253d03066e5aa486b82ecf74
    .data 0x31a0 0x58b 0x5a0 3.10 6fdbba5ae45ccdfbc09409456f939041
    INIT 0x3740 0x242 0x260 4.58 2cc1de2426414b82a40c8c9d036167e3
    .rsrc 0x39a0 0x428 0x440 3.37 fff69297d195c8fb8803f2f19ffa51f4
    .reloc 0x3de0 0x190 0x1a0 5.59 04df78fd3447a40d9aac562b113b9531

    ( 1 imports )
    > SCSIPORT.SYS: ScsiPortWriteRegisterUlong, ScsiPortStallExecution, ScsiPortReadRegisterUchar, ScsiPortWriteRegisterUchar, ScsiPortGetPhysicalAddress, ScsiPortMoveMemory, ScsiPortNotification, ScsiPortGetLogicalUnit, ScsiPortFreeDeviceBase, ScsiPortGetDeviceBase, ScsiPortConvertUlongToPhysicalAddress, ScsiPortCompleteRequest, ScsiPortLogError, ScsiPortReadRegisterUlong, ScsiPortGetSrb, ScsiPortGetUncachedExtension, ScsiPortInitialize

    ( 0 exports )

    RDS...: NSRL Reference Data Set
    -
    trid..: Generic Win/DOS Executable (49.9%)
    DOS Executable Generic (49.8%)
    Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
    pdfid.: -
    sigcheck:
    publisher....: Symbios Logic Inc.
    copyright....: Copyright (c) Symbios Logic Inc. 1992-1998
    product......: Microsoft(R) Windows (R) 2000 Operating System
    description..: Symbios Logic Inc. SCSI Miniport Driver
    original name: SYMC810.SYS
    internal name: DULUTH-4.00.01
    file version.: 5.1.2409.1 (ReleaseBinaries.001205-1804)
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Well that's different! Never seen a file scan go like that before. Give it a try on one of the other sites. If you don't get a report, I'll move it anyway.
  13. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Sorry, I was out of town for work last week.

    Here is a different scan of that file...

    Filename: yxrurdkp.sys
    Status: Scan finished. 0 out of 19 scanners reported malware.
    Scan taken on: Sun 1 Aug 2010 06:44:37 (CET) Permalink



    --------------------------------------------------------------------------------
    Additional info
    File size: 16256 bytes
    Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
    MD5: 1ff3217614018630d0a6758630fc698c
    SHA1: 09f6023b965069572c2d8f40df323cca2efb9143







    Scanners
    2010-08-01 Found nothing 2010-08-01 Found nothing
    2010-07-31 Found nothing 2010-08-01 Found nothing
    2010-07-31 Found nothing 2010-07-31 Found nothing
    2010-07-30 Found nothing 2010-07-31 Found nothing
    2010-08-01 Found nothing 2010-07-31 Found nothing
    2010-08-01 Found nothing 2010-07-30 Found nothing
    2010-08-01 Found nothing 2010-07-31 Found nothing
    2010-08-01 Found nothing 2010-07-30 Found nothing
    2010-07-31 Found nothing 2010-07-31 Found nothing
    2010-07-31 Found nothing
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay then, let's go on:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\system32\drivers\yxrurdkp.sys
    Folder::
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"=-
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Check for driver update for this Citrix Access Gateway client (VPN) if you are still using it.

    I recommend you uninstall the following:
    2008-06-23 22:31 > c:\program files\Coupons
    These kinds of sites always include adware and some also send spyware.

    This deletion in Combofix, D:\Autorun.inf indicates the possibility of an infected flash drive. If you have been using one, it should be disinfected. Let me know and I'll give you instructions.
    ================================

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================
    Choose v2.0.4:
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-lick on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Are there any remaining problems? IF these logs come back clean, I'll have you remove the cleaning tools.
  15. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Here is the combofix log.

    I haven't been using a flash drive for a while, but I do have one. Should I disinfect it?

    I will continue with the other steps...


    ComboFix 10-07-24.06 - Owner 08/01/2010 11:39:27.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1391 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\CFScript.txt
    AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
    .
    - REDUCED FUNCTIONALITY MODE -

    FILE ::
    "c:\windows\system32\drivers\yxrurdkp.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\yxrurdkp.sys
    c:\windows\system32\service
    c:\windows\system32\service\01082010_TIS17_SfFniAU.log

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
    .

    2010-08-01 18:36 . 2010-08-01 18:36 -------- d-----w- c:\windows\LastGood
    2010-08-01 04:41 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\Microsoft
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar Installer
    2010-07-25 17:25 . 2010-07-25 17:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-sse.dll
    2010-07-25 17:25 . 2010-07-25 17:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcp71.dll
    2010-07-25 17:25 . 2010-07-25 17:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\jmc.dll
    2010-07-25 17:25 . 2010-07-25 17:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcr71.dll
    2010-07-25 17:25 . 2010-07-25 17:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-d3d.dll
    2010-07-25 17:25 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-07-25 09:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-25 09:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-25 04:40 . 2010-07-25 04:59 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-07-25 04:33 . 2010-07-25 04:42 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-07-18 17:38 . 2010-07-18 17:39 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-18 17:34 . 2010-07-18 17:34 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-16 01:03 . 2010-07-16 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-14 04:55 . 2010-07-14 04:55 -------- d-----w- c:\program files\iPod
    2010-07-14 04:47 . 2010-07-14 04:47 -------- d-----w- c:\program files\Bonjour
    2010-07-14 04:44 . 2010-07-14 04:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-25 17:29 . 2006-02-24 10:47 -------- d-----w- c:\program files\Java
    2010-07-25 17:26 . 2006-02-24 10:47 -------- d-----w- c:\program files\Common Files\Java
    2010-07-25 04:09 . 2008-12-02 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-18 17:35 . 2008-12-02 06:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-07-16 16:21 . 2008-06-23 22:31 -------- d-----w- c:\program files\Coupons
    2010-07-16 01:03 . 2006-08-14 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-14 04:56 . 2009-08-09 17:26 -------- d-----w- c:\program files\iTunes
    2010-07-14 04:55 . 2008-03-13 02:54 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-23 17:39 . 2010-06-23 17:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb31F.tmp.exe
    2010-06-15 02:00 . 2008-07-15 02:23 -------- d-----w- c:\program files\Safari
    2010-06-15 01:56 . 2010-06-15 01:56 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-14 14:31 . 2005-01-10 01:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-03 05:20 . 2006-11-10 15:09 12130 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
    2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-06 10:41 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-26_18.00.47 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-01 18:29 . 2010-08-01 18:29 16384 c:\windows\Temp\Perflib_Perfdata_420.dat
    + 2010-08-01 18:29 . 2010-08-01 18:29 16384 c:\windows\Temp\Perflib_Perfdata_198.dat
    - 2006-02-24 10:42 . 2010-06-10 06:16 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2010-08-01 18:37 . 2010-08-01 18:37 200192 c:\windows\Installer\591ec.msi
    - 2006-02-24 10:42 . 2010-06-10 06:16 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2010-05-25 18:45 . 2010-05-25 18:45 8445440 c:\windows\Installer\591ff.msp
    + 2010-07-01 05:52 . 2010-07-01 05:52 5522944 c:\windows\Installer\591c9.msp
    + 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
    - 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
    "showwnd"="showwnd.exe" [2003-09-19 36864]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
    "QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
    "nwiz"="nwiz.exe" [2005-07-09 1519616]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
    "NBCUniversal Media Manager Tray"="c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2006-09-07 372736]
    "ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
    "HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "EntriqMediaTray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2006-05-01 122880]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "CHotkey"="mHotkey.exe" [2004-12-09 550912]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Power2GoExpress"="NA" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2004-8-10 17408]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaFrame Password Manager Agent Background Process.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MetaFrame Password Manager Agent Background Process.lnk
    backup=c:\windows\pss\MetaFrame Password Manager Agent Background Process.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3776:UDP"= 3776:UDP:Media Center Extender Service
    "3390:TCP"= 3390:TCP:*:Disabled:Remote Media Center Experience

    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/25/2009 3:48 PM 36368]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/16/2006 4:33 PM 18864]
    S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
    S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/25/2009 3:55 PM 50704]
    S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/25/2009 3:55 PM 689416]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - SEAPORT

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]

    2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
    DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-01 11:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(756)
    c:\program files\Citrix\MetaFrame Password Manager\SSOGina\SSOGina.DLL
    c:\program files\Citrix\MetaFrame Password Manager\Plugin\EventMgr\EventReporter.dll
    c:\program files\Citrix\MetaFrame Password Manager\resource.dll
    .
    Completion time: 2010-08-01 11:46:18
    ComboFix-quarantined-files.txt 2010-08-01 18:46
    ComboFix2.txt 2010-07-26 18:02

    Pre-Run: 154,173,030,400 bytes free
    Post-Run: 154,183,798,784 bytes free

    - - End Of File - - 5EC34D72010B0CA70BFC2E22890E64BD
  16. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    ESET log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=5485fe52b9098e4bb1a7791a3157bb67
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-01 07:57:59
    # local_time=2010-08-01 12:57:59 (-0800, Pacific Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 24091545 24091545 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=138977
    # found=2
    # cleaned=0
    # scan_time=3398
    C:\Qoobox\32788R22FWJFW\symc810.sys Win32/Olmarik.ZC trojan 00000000000000000000000000000000 I
    C:\WINDOWS\dbplugin.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I
  17. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Uninstalled the Citrix and the Coupons.
  18. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Hi Jack this log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:05:32 PM, on 8/1/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\WINDOWS\ehome\RMSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    C:\Program Files\Digital Media Reader\readericon45G.exe
    C:\WINDOWS\CNYHKey.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\ehome\RMSysTry.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKLM\..\Run: [showwnd] showwnd.exe
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NBCUniversal Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:NBCUniversal
    O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [EntriqMediaTray] "C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe"
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe"
    O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
    O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
    O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235945226479
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
    O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    O16 - DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} (CentrinoCheck Control) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
    O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} (NBCUniversal Class) - http://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: IntelĀ® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

    --
    End of file - 14560 bytes
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    If you look at the top of the second Combofix log, you will see:- REDUCED FUNCTIONALITY MODE. It's an anti-piracy feature that usually appears when a program or OS hasn't been correctly activatated or validated, or if there is an attempt to tamper with or hack the system. The user is not allowed the full features. It does not appear in the first Combofix log which is puzzling and is more common in Vista or Windows Server. MS Office can bring this on, but you don't have that program installed.
    ========================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\WINDOWS\dbplugin.ocx 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    Please reopen Hijackthis to 'do system scan only.' Check each of the following, if present:

    O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')


    Close all Windows except HijackThis and click on "Fix Checked."
  20. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    When I opened combofix it said something about trial version expiring. Maybe because it took me a few days to get back to it?

    Here is teh OTM log:
    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\WINDOWS\dbplugin.ocx moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 16786 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 4992 bytes

    User: MCX1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 7465 bytes

    User: Owner
    ->Temp folder emptied: 541742 bytes
    ->Temporary Internet Files folder emptied: 14483065 bytes
    ->Java cache emptied: 2023 bytes
    ->Apple Safari cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 754 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 14.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 08022010_210531

    Files moved on Reboot...
    C:\Documents and Settings\Owner\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF1221.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF135E.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF8D5.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DF94C.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DFF4F.tmp not found!
    File C:\Documents and Settings\Owner\Local Settings\Temp\~DFFC2.tmp not found!
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L6946P6E\ads[1].htm moved successfully.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L6946P6E\topic150582[1].html moved successfully.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2IAF45LB\ads[1].htm moved successfully.
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2IAF45LB\sh21[1].html moved successfully.
    File C:\WINDOWS\temp\Perflib_Perfdata_b9c.dat not found!

    Registry entries deleted on Reboot...
  21. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Ran HI Jack This and fixed those items. They don't show up when I hit system scan again.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You need to address this:
  23. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    Okay, I don't know how, but here is what I did.

    I double clicked on combofix without the virus software on, it asked to update, and I said yes, last time I said no, that is the difference. I dragged the script in and it worked without going into reduced functionality mode.

    Here is the log..

    ComboFix 10-08-03.02 - Owner 08/03/2010 22:37:12.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1391 [GMT -7:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

    FILE ::
    "c:\windows\system32\drivers\yxrurdkp.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\service
    c:\windows\system32\service\03082010_TIS17_SfFniAU.log

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
    .

    2010-08-03 04:05 . 2010-08-03 04:05 -------- d-----w- C:\_OTM
    2010-08-01 20:04 . 2010-08-01 20:04 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-08-01 18:55 . 2010-08-01 18:55 -------- d-----w- c:\program files\ESET
    2010-08-01 04:41 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\Microsoft
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar
    2010-07-25 17:26 . 2010-07-25 17:26 -------- d-----w- c:\program files\MSN Toolbar Installer
    2010-07-25 17:25 . 2010-07-25 17:25 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-sse.dll
    2010-07-25 17:25 . 2010-07-25 17:25 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcp71.dll
    2010-07-25 17:25 . 2010-07-25 17:25 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\jmc.dll
    2010-07-25 17:25 . 2010-07-25 17:25 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-13b88e8c-n\msvcr71.dll
    2010-07-25 17:25 . 2010-07-25 17:25 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3bc9a11a-n\decora-d3d.dll
    2010-07-25 17:25 . 2010-06-22 11:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-07-25 09:23 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-25 09:23 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-25 09:23 . 2010-07-25 09:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-25 04:40 . 2010-07-25 04:59 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-07-25 04:33 . 2010-07-25 04:42 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-07-18 17:38 . 2010-07-18 17:39 -------- d-----w- c:\program files\Common Files\Adobe
    2010-07-18 17:34 . 2010-07-18 17:34 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
    2010-07-16 01:03 . 2010-07-16 01:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-14 04:55 . 2010-07-14 04:55 -------- d-----w- c:\program files\iPod
    2010-07-14 04:47 . 2010-07-14 04:47 -------- d-----w- c:\program files\Bonjour
    2010-07-14 04:44 . 2010-07-14 04:44 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-01 20:04 . 2006-07-16 23:16 -------- d-----w- c:\program files\Trend Micro
    2010-08-01 20:03 . 2006-07-17 00:38 -------- d-----w- c:\documents and settings\Owner\Application Data\ICAClient
    2010-07-25 17:29 . 2006-02-24 10:47 -------- d-----w- c:\program files\Java
    2010-07-25 17:26 . 2006-02-24 10:47 -------- d-----w- c:\program files\Common Files\Java
    2010-07-25 04:09 . 2008-12-02 06:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-07-18 17:35 . 2008-12-02 06:58 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-07-16 01:03 . 2006-08-14 13:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-14 04:56 . 2009-08-09 17:26 -------- d-----w- c:\program files\iTunes
    2010-07-14 04:55 . 2008-03-13 02:54 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-23 17:39 . 2010-06-23 17:39 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb31F.tmp.exe
    2010-06-15 02:00 . 2008-07-15 02:23 -------- d-----w- c:\program files\Safari
    2010-06-15 01:56 . 2010-06-15 01:56 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-14 14:31 . 2005-01-10 01:09 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-03 05:20 . 2006-11-10 15:09 12130 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
    2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-06 10:41 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-26_18.00.47 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-08-04 05:31 . 2010-08-04 05:31 16384 c:\windows\Temp\Perflib_Perfdata_c14.dat
    + 2010-08-04 05:31 . 2010-08-04 05:31 16384 c:\windows\Temp\Perflib_Perfdata_9f4.dat
    + 2006-02-24 10:42 . 2010-08-01 18:38 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2010-08-01 18:37 . 2010-08-01 18:37 200192 c:\windows\Installer\591ec.msi
    + 2006-02-24 10:42 . 2010-08-01 18:38 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    + 2006-02-24 10:42 . 2010-08-01 18:38 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    - 2006-02-24 10:42 . 2010-06-10 06:16 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2010-05-25 18:45 . 2010-05-25 18:45 8445440 c:\windows\Installer\591ff.msp
    + 2010-07-01 05:52 . 2010-07-01 05:52 5522944 c:\windows\Installer\591c9.msp
    + 2010-08-01 20:04 . 2010-08-01 20:04 1094656 c:\windows\Installer\560d86.msi
    + 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
    - 2006-07-21 03:42 . 2010-07-02 19:39 34045896 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
    "showwnd"="showwnd.exe" [2003-09-19 36864]
    "Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
    "readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
    "QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]
    "nwiz"="nwiz.exe" [2005-07-09 1519616]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
    "NBCUniversal Media Manager Tray"="c:\program files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2006-09-07 372736]
    "ledpointer"="CNYHKey.exe" [2004-03-03 5576704]
    "IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
    "HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "EntriqMediaTray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2006-05-01 122880]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "CHotkey"="mHotkey.exe" [2004-12-09 550912]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2004-8-10 17408]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MetaFrame Password Manager Agent Background Process.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MetaFrame Password Manager Agent Background Process.lnk
    backup=c:\windows\pss\MetaFrame Password Manager Agent Background Process.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3776:UDP"= 3776:UDP:Media Center Extender Service
    "3390:TCP"= 3390:TCP:*:Disabled:Remote Media Center Experience

    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [10/25/2009 3:48 PM 36368]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 10:17 AM 135664]
    S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [7/16/2006 4:33 PM 18864]
    S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
    S3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [10/25/2009 3:55 PM 50704]
    S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [10/25/2009 3:55 PM 689416]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]

    2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 17:17]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
    DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
    DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-03 22:44
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-08-03 22:45:48
    ComboFix-quarantined-files.txt 2010-08-04 05:45
    ComboFix2.txt 2010-08-01 18:46
    ComboFix3.txt 2010-07-26 18:02

    Pre-Run: 153,211,957,248 bytes free
    Post-Run: 153,198,661,632 bytes free

    - - End Of File - - 84E4B93E749C8279A78B980E516E79F9
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay, tell me how the system is doing: Is firewall staying up? Have redirects stopped? The only thing I see in the Combofix log is a driver/Service for Citrix which is questioned. If you are still using\this, check the home site for a possible driver update. If you are no longer using it, uninstall.

    Click on Start> Run> type in services.msc> Double click on Net6 > for Startup type: There a 3 Startup Type settings:
    Set on Automatic if it needs to start on boot
    Set to Manual if it is user invoked and only need to run when you request it.
    Set to Disabled if you don't use it

    This is related to net6im51.sys Secure Access Driver from Citrix Systems, Inc.

    Let me know.
  25. BigDaddyKLX

    BigDaddyKLX Newcomer, in training Topic Starter Posts: 36

    The redirects have stopped. I haven't tested it too much while we have been working on the machine. I pretty much would turn it on to do our fixes and then shut it off, I will test it tonight.

    I have not seen the firewall go down recently, but again I haven't left the computer on. The last time the firewall would go down after leaving the computer on for a few hours. I will test that tonight too.

    It is allowing me to go to the Windows update site now, and the automatic updates are downloading, although I haven't installed them yet.

    I noticed that now it takes a little longer for the trend micro antivirus to load on startup. Long enough for the windows shield to pop up with a warning, but then it goes off. Takes a solid 1-2 minutes on strartup to get that going.

    On a few of those scans there were viruses/trojans identified or flagged that I did not click fix on, what do I do for those?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.