Solved Broni: Please review these logs of an infected XP-Pro laptop

Status
Not open for further replies.
"Conduit Engine" and "error 2753. regutils.dll" on "java 6(TM) update 25" uninstall

Hello Broni:

Thank you very much for your prompt response. I will complete the Combofix task next. Meanwhile, could you look into this new problem. I found "Conduit Engine" in the Add/Remove Programs box when I tried to uninstall the leftover old Javas manually. I successfully uninstalled it there and in the Google Chrome extensions.

I did the same with "java 6(TM) update 7". But, uninstalling "java 6(TM) update 25" generated an "error 2753. regutils.dll". JavaRa could not completely uninstall it either even after I tried to reinstall it. A couple of people claim success with Revo Uninstaller Pro. What do you advise? Thank you, again!

Best wishes,
Wiz:wave:
 
Combofix Log

Hello Broni:

Thanks a lot for your prompt response. I ran combofix as advised. Its behavior was unusual. It claimed a 2004 date and asked for a limited mode run. The clock in the system tray was displaying the correct time. I allowed it. It repaired an "autocheck" system file. The scan took a long time even after its reboot and produced this log. I have not examined it. Please let me know if I should do anything else. Thank you very much for doing such a great job.

Best wishes,
Wiz:wave:

__________________

ComboFix 11-09-18.01 - iiii ccccc 09/24/2011 15:59:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1446 [GMT -7:00]
Running from: c:\documents and settings\iiii ccccc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iiii ccccc\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\program files\¿á6Íø\¼«ËÙ¿á6\Ku6SpeedUpper.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\autochk.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-24 to 2011-09-24 )))))))))))))))))))))))))))))))
.
.
2011-09-24 23:06 . 2011-09-24 23:06 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-09-24 23:04 . 2011-09-24 23:04 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-09-23 00:18 . 2011-09-23 00:18 -------- d-----w- c:\program files\ESET
2011-09-22 23:27 . 2011-09-22 23:27 -------- d-----w- C:\_OTL
2011-09-22 23:22 . 2011-09-22 23:22 -------- d-----w- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Sun
2011-09-21 19:06 . 2011-09-21 19:06 -------- d-----w- C:\iiii
2011-09-20 17:13 . 2011-09-20 17:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-19 17:56 . 2011-09-19 17:56 -------- d-----w- c:\documents and settings\iiii ccccc\Application Data\Malwarebytes
2011-09-19 04:54 . 2011-09-19 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-19 04:54 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-19 04:54 . 2011-09-19 04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-19 03:22 . 2011-09-19 03:22 -------- d-----w- c:\documents and settings\iiii ccccc\Application Data\Avira
2011-09-19 03:18 . 2011-07-21 19:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-19 03:18 . 2011-07-21 19:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-19 03:18 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-19 03:18 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-19 03:18 . 2011-09-19 03:18 -------- d-----w- c:\program files\Avira
2011-09-19 03:18 . 2011-09-19 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-19 02:09 . 2011-09-21 21:06 -------- d-----w- C:\troubleshooter
2011-09-13 14:42 . 2011-09-13 14:42 -------- d-----w- c:\documents and settings\iiii ccccc\Application Data\com.livescribe.LivescribeConnect
2011-09-13 14:42 . 2011-09-13 14:42 -------- d-----w- c:\program files\Common Files\Livescribe
2011-09-13 14:41 . 2011-09-13 14:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-24 23:13 . 2008-02-16 08:36 44544 ----a-w- c:\windows\system32\agremove.exe
2011-09-22 22:58 . 2008-08-23 18:30 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-22 22:58 . 2011-05-30 03:49 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-18 07:00 . 2007-11-10 04:04 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-09-09 09:12 . 2006-04-30 06:55 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2006-04-30 06:55 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-04-30 06:55 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2008-03-23 02:20 . 2008-03-23 02:20 35481456 ------w- c:\program files\Money_Plus_Deluxe_Win32_English_Online-US_Only_DwnLd.exe
2008-03-23 00:54 . 2008-03-23 00:52 15452536 ------w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-02-29 14:57 . 2008-02-10 18:03 23344432 ------w- c:\program files\QuickTimeInstaller.exe
2008-11-16 16:51 . 2008-11-15 05:08 27976 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-16 16:51 . 2008-11-15 05:08 126360 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-15 05:08 . 2008-11-15 05:08 98712 ------w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d1e06b91-60e6-4492-af9f-53043fa32716}"= "c:\program files\TheFreeDictionarycom\prxtbThe2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{d1e06b91-60e6-4492-af9f-53043fa32716}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d1e06b91-60e6-4492-af9f-53043fa32716}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TheFreeDictionarycom\prxtbThe2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d1e06b91-60e6-4492-af9f-53043fa32716}"= "c:\program files\TheFreeDictionarycom\prxtbThe2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{d1e06b91-60e6-4492-af9f-53043fa32716}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D1E06B91-60E6-4492-AF9F-53043FA32716}"= "c:\program files\TheFreeDictionarycom\prxtbThe2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{d1e06b91-60e6-4492-af9f-53043fa32716}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2006-08-22 33128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-02 7557120]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-04-19 24576]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2006-05-08 94208]
"snp2std"="c:\windows\vsnp2std.exe" [2006-04-21 675840]
"nwiz"="nwiz.exe" [2006-03-02 1519616]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2006-07-03 110592]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-29 73728]
"ISUSPM Startup"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\iiii ccccc\Start Menu\Programs\Startup\
Realhound IP Tune and Lube.LNK - c:\program files\REALHOUND IP Client\realhoundiptuneandlube.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-01-11 06:05 13824 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iTunes.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\iTunes.lnk
backup=c:\windows\pss\iTunes.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^iiii ccccc^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\iiii ccccc\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^iiii ccccc^Start Menu^Programs^Startup^iTunes.lnk]
path=c:\documents and settings\iiii ccccc\Start Menu\Programs\Startup\iTunes.lnk
backup=c:\windows\pss\iTunes.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\???6]
c:\program files\¿á6Íø\¼«ËÙ¿á6\Ku6SpeedUpper.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
2006-10-06 03:57 409600 -c----w- c:\program files\ThinkPad\ConnectUtilities\ACTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2006-10-06 03:53 110592 -c----w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-08-30 07:40 89542 ------w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2011-04-21 14:53 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2007-08-23 05:48 53248 ------w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 05:29 623960 ----a-w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-05 00:08 136176 ----atw- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 23:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyInsights]
2008-02-19 16:19 502800 ------w- c:\program files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-03-15 23:07 421888 ------w- c:\program files\Picasa2\PicasaMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 18:47 79192 ----a-w- c:\program files\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-08-10 06:21 16384000 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 20:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-26 13:41 68856 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-04-27 17:45 273544 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iiii ccccc\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [5/24/2006 12:48 PM 10240]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/18/2011 8:18 PM 136360]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [9/19/2009 7:04 AM 45312]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [8/11/2011 3:03 PM 470528]
S1 MpKsl4455b4c5;MpKsl4455b4c5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89BDB2B4-AA68-4A1F-BA95-8A8340D0A0DB}\MpKsl4455b4c5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89BDB2B4-AA68-4A1F-BA95-8A8340D0A0DB}\MpKsl4455b4c5.sys [?]
S1 MpKslb523da44;MpKslb523da44;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64F5AB7-6F66-41EF-ABE6-9BAD6298F43D}\MpKslb523da44.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64F5AB7-6F66-41EF-ABE6-9BAD6298F43D}\MpKslb523da44.sys [?]
S2 smi2;smi2;\??\c:\program files\SMI2\smi2.sys --> c:\program files\SMI2\smi2.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2/8/2011 11:35 PM 20480]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:37 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:37 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-08-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 02:37]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 02:37]
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2942788721-270316561-3154462386-1005Core.job
- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 00:08]
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2942788721-270316561-3154462386-1005UA.job
- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 00:08]
.
2011-08-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
2011-09-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2942788721-270316561-3154462386-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-09-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2942788721-270316561-3154462386-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.92.124.1 192.92.124.3
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-24 16:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Shared Tools\MSConfig\startupreg\gw‘6*]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ku6SpeedUpper"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\¿á6Íø\\¼«ËÙ¿á6\\Ku6SpeedUpper.exe\" /start"
"inimapping"="0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1244)
c:\windows\system32\tphklock.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Lenovo\PM Driver\PMSveH.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2011-09-24 16:21:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-24 23:21
ComboFix2.txt 2011-09-20 20:27
.
Pre-Run: 116,942,245,888 bytes free
Post-Run: 116,934,434,816 bytes free
.
- - End Of File - - CEF518BBBA4F06135E3E23D764712923
 
Delete your Combofix file, download fresh one and re-run using very same script as in my previous reply.
 
New Combofix Log

Hello Broni:

Thank you very much for checking the Combofix log. Here is the new log of the newly downloaded and run Combofix. I have not looked at it yet. Thank you again!

Best regards,
Wiz:wave:
_________

ComboFix 11-09-24.04 - iiii ccccc 09/24/2011 19:17:45.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1580 [GMT -7:00]
Running from: c:\documents and settings\iiii ccccc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\iiii ccccc\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
FILE ::
"c:\program files\¿á6Íø\¼«ËÙ¿á6\Ku6SpeedUpper.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\autochk.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))
.
.
2011-09-25 02:35 . 2011-09-25 02:35 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-09-25 02:33 . 2011-09-25 02:33 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-09-23 00:18 . 2011-09-23 00:18 -------- d-----w- c:\program files\ESET
2011-09-22 23:27 . 2011-09-22 23:27 -------- d-----w- C:\_OTL
2011-09-22 23:22 . 2011-09-22 23:22 -------- d-----w- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Sun
2011-09-21 19:06 . 2011-09-21 19:06 -------- d-----w- C:\iiii
2011-09-20 17:13 . 2011-09-20 17:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-09-19 17:56 . 2011-09-19 17:56 -------- d-----w- c:\documents and settings\iiii ccccc\Application Data\Malwarebytes
2011-09-19 04:54 . 2011-09-19 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-19 04:54 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-19 04:54 . 2011-09-19 04:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-19 03:22 . 2011-09-19 03:22 -------- d-----w- c:\documents and settings\iiii ccccc\Application Data\Avira
2011-09-19 03:18 . 2011-07-21 19:15 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-19 03:18 . 2011-07-21 19:15 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-19 03:18 . 2010-06-17 22:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-19 03:18 . 2010-06-17 22:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-19 03:18 . 2011-09-19 03:18 -------- d-----w- c:\program files\Avira
2011-09-19 03:18 . 2011-09-19 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-19 02:09 . 2011-09-21 21:06 -------- d-----w- C:\troubleshooter
2011-09-13 14:42 . 2011-09-13 14:42 -------- d-----w- c:\documents and settings\iiii ccccc\Application Data\com.livescribe.LivescribeConnect
2011-09-13 14:42 . 2011-09-13 14:42 -------- d-----w- c:\program files\Common Files\Livescribe
2011-09-13 14:41 . 2011-09-13 14:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-25 02:43 . 2008-02-16 08:36 44544 ----a-w- c:\windows\system32\agremove.exe
2011-09-22 22:58 . 2008-08-23 18:30 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-22 22:58 . 2011-05-30 03:49 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-18 07:00 . 2007-11-10 04:04 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-09-09 09:12 . 2006-04-30 06:55 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2006-04-30 06:55 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-04-30 06:55 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
2008-03-23 02:20 . 2008-03-23 02:20 35481456 ------w- c:\program files\Money_Plus_Deluxe_Win32_English_Online-US_Only_DwnLd.exe
2008-03-23 00:54 . 2008-03-23 00:52 15452536 ------w- c:\program files\IE7-WindowsXP-x86-enu.exe
2008-02-29 14:57 . 2008-02-10 18:03 23344432 ------w- c:\program files\QuickTimeInstaller.exe
2008-11-16 16:51 . 2008-11-15 05:08 27976 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-16 16:51 . 2008-11-15 05:08 126360 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-11-15 05:08 . 2008-11-15 05:08 98712 ------w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-20_20.14.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-25 02:36 . 2011-09-25 02:36 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-20 20:12 . 2011-09-20 20:12 32768 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-20 20:12 . 2011-09-20 20:12 16384 c:\windows\Temp\History\History.IE5\index.dat
+ 2011-09-25 02:36 . 2011-09-25 02:36 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2011-09-25 02:36 . 2011-09-25 02:36 16384 c:\windows\temp\Cookies\index.dat
- 2011-09-20 20:12 . 2011-09-20 20:12 16384 c:\windows\Temp\Cookies\index.dat
+ 2011-06-06 19:55 . 2011-06-06 19:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
+ 2011-09-22 22:59 . 2011-09-22 22:58 214408 c:\windows\system32\javaws.exe
+ 2011-09-22 22:59 . 2011-09-22 22:58 173960 c:\windows\system32\javaw.exe
+ 2011-09-22 22:59 . 2011-09-22 22:58 173960 c:\windows\system32\java.exe
+ 2011-09-22 23:00 . 2011-09-22 23:00 176640 c:\windows\Installer\14eed7.msi
+ 2011-09-22 22:57 . 2011-09-22 22:57 937984 c:\windows\Installer\14eec9.msi
+ 2011-06-06 19:55 . 2011-06-06 19:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-09-24 05:18 . 2011-09-24 05:18 2295808 c:\windows\Installer\1d6d0f.msi
+ 2011-06-06 19:55 . 2011-06-06 19:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 19:55 . 2011-06-06 19:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 19:55 . 2011-06-06 19:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\1d6d10.msp
+ 2011-06-06 19:55 . 2011-06-06 19:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d1e06b91-60e6-4492-af9f-53043fa32716}"= "c:\program files\TheFreeDictionarycom\prxtbThe2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{d1e06b91-60e6-4492-af9f-53043fa32716}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d1e06b91-60e6-4492-af9f-53043fa32716}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TheFreeDictionarycom\prxtbThe2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d1e06b91-60e6-4492-af9f-53043fa32716}"= "c:\program files\TheFreeDictionarycom\prxtbThe2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{d1e06b91-60e6-4492-af9f-53043fa32716}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D1E06B91-60E6-4492-AF9F-53043FA32716}"= "c:\program files\TheFreeDictionarycom\prxtbThe2.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{d1e06b91-60e6-4492-af9f-53043fa32716}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-26 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"PMHandler"="c:\progra~1\Lenovo\PMDRIV~1\PMHandler.exe" [2006-08-22 33128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-02 7557120]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2006-04-19 24576]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPHKMGR.exe" [2006-05-08 94208]
"snp2std"="c:\windows\vsnp2std.exe" [2006-04-21 675840]
"nwiz"="nwiz.exe" [2006-03-02 1519616]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2006-07-03 110592]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2007-08-29 73728]
"ISUSPM Startup"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-09-19 562944]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\iiii ccccc\Start Menu\Programs\Startup\
Realhound IP Tune and Lube.LNK - c:\program files\REALHOUND IP Client\realhoundiptuneandlube.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-01-11 06:05 13824 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iTunes.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\iTunes.lnk
backup=c:\windows\pss\iTunes.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^iiii ccccc^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\iiii ccccc\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^iiii ccccc^Start Menu^Programs^Startup^iTunes.lnk]
path=c:\documents and settings\iiii ccccc\Start Menu\Programs\Startup\iTunes.lnk
backup=c:\windows\pss\iTunes.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\???6]
c:\program files\¿á6Íø\¼«ËÙ¿á6\Ku6SpeedUpper.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
2006-10-06 03:57 409600 -c----w- c:\program files\ThinkPad\ConnectUtilities\ACTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
2006-10-06 03:53 110592 -c----w- c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2006-08-30 07:40 89542 ------w- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2011-04-21 14:53 281768 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2007-08-23 05:48 53248 ------w- c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 05:29 623960 ----a-w- c:\program files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-05 00:08 136176 ----atw- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 23:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyInsights]
2008-02-19 16:19 502800 ------w- c:\program files\Microsoft Money Plus\MNYCoreFiles\mnyinsit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-03-15 23:07 421888 ------w- c:\program files\Picasa2\PicasaMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RIMBBLaunchAgent.exe]
2011-02-18 18:47 79192 ----a-w- c:\program files\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-08-10 06:21 16384000 ------w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-05-04 20:59 252136 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-08-26 13:41 68856 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-04-27 17:45 273544 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 04:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\iiii ccccc\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R1 PMHler;PMHler;c:\windows\system32\drivers\PMHler.sys [5/24/2006 12:48 PM 10240]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/18/2011 8:18 PM 136360]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [9/19/2009 7:04 AM 45312]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [8/11/2011 3:03 PM 470528]
S1 MpKsl4455b4c5;MpKsl4455b4c5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89BDB2B4-AA68-4A1F-BA95-8A8340D0A0DB}\MpKsl4455b4c5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89BDB2B4-AA68-4A1F-BA95-8A8340D0A0DB}\MpKsl4455b4c5.sys [?]
S1 MpKslb523da44;MpKslb523da44;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64F5AB7-6F66-41EF-ABE6-9BAD6298F43D}\MpKslb523da44.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C64F5AB7-6F66-41EF-ABE6-9BAD6298F43D}\MpKslb523da44.sys [?]
S2 smi2;smi2;\??\c:\program files\SMI2\smi2.sys --> c:\program files\SMI2\smi2.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [2/8/2011 11:35 PM 20480]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:37 PM 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 7:37 PM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-08-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 02:37]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-11 02:37]
.
2011-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2942788721-270316561-3154462386-1005Core.job
- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 00:08]
.
2011-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2942788721-270316561-3154462386-1005UA.job
- c:\documents and settings\iiii ccccc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 00:08]
.
2011-08-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 22:07]
.
2011-09-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2942788721-270316561-3154462386-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
2011-09-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2942788721-270316561-3154462386-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-24 19:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Shared Tools\MSConfig\startupreg\gw‘6*]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ku6SpeedUpper"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\¿á6Íø\\¼«ËÙ¿á6\\Ku6SpeedUpper.exe\" /start"
"inimapping"="0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1244)
c:\windows\system32\tphklock.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2272)
c:\windows\system32\WININET.dll
c:\documents and settings\iiii ccccc\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Lenovo\PM Driver\PMSveH.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2011-09-24 19:50:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-25 02:50
ComboFix2.txt 2011-09-24 23:21
ComboFix3.txt 2011-09-20 20:27
.
Pre-Run: 116,932,542,464 bytes free
Post-Run: 116,899,581,952 bytes free
.
- - End Of File - - 4BDD9AD1A652B4FCC8F0B7A92A36DC4F
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code: 
    :filefind
*ku6*
:folderfind
*ku6*
:regfind
*ku6*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook log

Hello Broni:

Thanks for your help. Here is the SystemLook log. It looks like it is in that CS2/Macromedia install. Please advise how best to uninstall all of them. Thanks!

Best,
Wiz:wave:

__________
SystemLook 30.07.11 by jpshortstuff
Log created at 21:25 on 24/09/2011 by iiii ccccc
Administrator - Elevation successful

========== filefind ==========

Searching for "*ku6*"
C:\iiii ccccc backup\Application Data\Macromedia\Flash Player\#SharedObjects\ALPU5588\img.ku6.com\KU6_SETTING.sol --a---- 50 bytes [04:42 18/05/2010] [20:06 09/08/2008] 0F4F57C420819F25AD9A6F79F8FF5C07

========== folderfind ==========

Searching for "*ku6*"
C:\iiii ccccc backup\Application Data\Macromedia\Flash Player\#SharedObjects\ALPU5588\img.ku6.com d------ [04:42 18/05/2010]
C:\iiii ccccc backup\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#img.ku6.com d------ [04:41 18/05/2010]

========== regfind ==========

Searching for "*ku6*"
No data found.

-= EOF =-
 
Folder name

Hello Broni:

That is just a name of a folder that my friend supposedly has backed up her files there. The folder name is legit. What is in there is apparently infected
 
In that case leave it alone.
Those files are not active.

Are you experiencing any current computer issues?
 
No major problem

Hello Broni:

Only the bootup is a bit slow. Once it is running, everything is smooth and fast. shutdown is fast too. Perhaps, the bootup will get better once all the changes are made and the system is stable. Thank you very much for your help. I will get back online tomorrow!

Best wishes,
Wiz:wave:
 
Well, at this point.....

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code: 
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Final OTL log and Thank You!

Hello Broni:

Here is the final OTL log. Thank you very much for all your help throughout this cleanup process. I will complete the rest of the steps and set up a couple more security software to protect this laptop against potential future infections to the extent possible. Thank you, again!

Best wishes,
Wiz:wave:
____________________OTL log_______________

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: iiii ccccc
->Temp folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 39624620 bytes
->Flash cache emptied: 343 bytes

User: iiii ccccc backup
->Temp folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66499 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 38.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: iiii ccccc
->Flash cache emptied: 0 bytes

User: iiii ccccc backup
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.29.1 log created on 09252011_122821

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
 
You're very welcome
smiley_says_hello.gif
 
Status
Not open for further replies.

Similar threads

D
Solved Broni: Please review these logs of a Dell Inspiron Running Windows 7 Home Premium--Part 1
Replies
10
Views
3K
Broni
Broni
S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni
E
Solved Laptop acting strangely.
Replies
9
Views
3K
Broni
Broni

Latest posts

Back