Inactive Malware issue (Posting Logs of MBAM, GMER & DDS)

[dcb1]

Hi,

Thank you for the great support forum, and especially the introductory content about using MBAM, DDS and GMER.

I had Kaspersky 2011 and thought that my computer is best protected. But recently I was blacklisted from a server for being recognized as an IP doing spam. Then my mails in outlook explorer were not going out. They gave me an SMTP time out error, as if the mail had large attachments. Hence I decided to explore further.

After running MBAM, I was surprised to find malware infections. I would be really thankful if someone can please verify my logs and tell me if everything is ok or more needs to be done.

----------------------------------------------------------------
Starting with MBAM logs

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7498

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

8/18/2011 12:58:09 PM
mbam-log-2011-08-18 (12-58-09).txt

Scan type: Quick scan
Objects scanned: 185710
Time elapsed: 22 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\local settings\Temp\utt961.tmp.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt965.tmp.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt976.tmp.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\utt977.tmp.exe (Trojan.Pakes) -> Quarantined and deleted successfully.

 

[dcb1]

GMER Logs

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-18 13:23:32
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD3200BEVT-22ZCT0 rev.11.01A11
Running: 49c9n9kz.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xA7B69ED2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xA7B69F6A]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

 

[dcb1]

DDS.TXT log

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Run by Administrator at 13:27:33 on 2011-08-18
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1163 [GMT 5.5:30]
.
AV: Kaspersky Anti-Virus *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MBlaze UI\bin\MonServiceUDisk.exe
C:\Program Files\vtigercrm-5.2.1\apache\bin\Apache.exe
C:\Program Files\vtigercrm-5.2.1\mysql\bin\mysqld-nt.exe
C:\Program Files\vtigercrm-5.2.1\apache\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Office 2007\Office12\WINWORD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://in.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://in.yahoo.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/done
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\ievkbd.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [WinampAgent] "c:\program files\winamp3\winampa.exe"
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe"
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0357.1\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\office~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\office~1\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2011\klwtbbho.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\llefuk5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://in.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://in.search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0357.1\npwinext.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-6-9 132184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2010-6-9 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-10-27 475736]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe -r --> c:\program files\kaspersky lab\kaspersky anti-virus 2011\avp.exe -r [?]
R2 UDisk Monitor;UDisk Monitor;c:\program files\mblaze ui\bin\MonServiceUDisk.exe [2010-10-26 512000]
R2 vtigercrmApache521;vtigercrmApache521;c:\program files\vtigercrm-5.2.1\apache\bin\Apache.exe [2009-5-8 20541]
R2 vtigercrmMysql521;vtigercrmMysql521;"c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt" "--defaults-file=c:\program files\vtigercrm-5.2.1\mysql\my.ini" vtigercrmmysql521 --> c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 32856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 135664]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-11-23 100736]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-8-18 41272]
S3 MemAccDrv32;MemAccDrv32;\??\f:\install\drivers\memaccdrv32.sys --> f:\install\drivers\MemAccDrv32.sys [?]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2010-10-26 104704]
.
=============== Created Last 30 ================
.
2011-08-18 06:37:38 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-08-18 06:37:25 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-18 06:37:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-18 06:37:21 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 06:37:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-18 06:21:29 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-18 06:21:29 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
.
============= FINISH: 13:28:15.76 ===============

 

[dcb1]

Attach.txt Log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/28/2009 12:16:25 PM
System Uptime: 8/18/2011 12:59:55 PM (1 hours ago)
.
Motherboard: Acer | | Columbia
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | U2E1 | 789/200mhz
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | U2E1 | 2194/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 51.905 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 86.961 GiB free.
E: is FIXED (NTFS) - 103 GiB total, 101.367 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart B110 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: B110,192.168.2.103
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart B110 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart B110 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: HP LaserJet 1022n
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: Hewlett-Packard
Name: HP LaserJet 1022n
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
==== System Restore Points ===================
.
RP191: 5/18/2011 1:07:16 PM - System Checkpoint
RP192: 5/20/2011 11:49:07 AM - System Checkpoint
RP193: 5/23/2011 1:55:27 PM - System Checkpoint
RP194: 5/23/2011 4:08:42 PM - Configured Microsoft Office Professional Plus 2007
RP195: 5/23/2011 4:11:55 PM - Configured Microsoft Office Professional Plus 2007
RP196: 5/25/2011 1:33:21 PM - System Checkpoint
RP197: 6/15/2011 12:06:43 PM - System Checkpoint
RP198: 6/24/2011 3:36:58 PM - System Checkpoint
RP199: 6/28/2011 7:04:18 PM - System Checkpoint
RP200: 6/30/2011 1:16:48 AM - System Checkpoint
RP201: 7/4/2011 10:01:46 PM - System Checkpoint
RP202: 7/5/2011 11:48:59 PM - System Checkpoint
RP203: 7/8/2011 4:22:28 PM - System Checkpoint
RP204: 7/11/2011 5:55:48 PM - System Checkpoint
RP205: 7/13/2011 12:44:24 AM - System Checkpoint
RP206: 7/17/2011 4:37:08 PM - System Checkpoint
RP207: 7/19/2011 3:14:35 PM - System Checkpoint
RP208: 7/22/2011 11:23:20 AM - System Checkpoint
RP209: 7/24/2011 4:18:02 PM - System Checkpoint
RP210: 7/26/2011 5:01:35 PM - System Checkpoint
RP211: 7/27/2011 5:11:40 PM - System Checkpoint
RP212: 7/29/2011 12:16:02 PM - System Checkpoint
RP213: 7/31/2011 10:10:07 AM - System Checkpoint
RP214: 8/2/2011 2:03:23 PM - System Checkpoint
RP215: 8/3/2011 2:23:03 PM - System Checkpoint
RP216: 8/4/2011 6:24:32 PM - System Checkpoint
RP217: 8/8/2011 5:01:56 PM - System Checkpoint
RP218: 8/10/2011 1:26:01 PM - Configured Microsoft Office Professional Plus 2007
RP219: 8/12/2011 12:47:39 AM - System Checkpoint
RP220: 8/13/2011 4:41:37 PM - System Checkpoint
RP221: 8/16/2011 3:47:34 PM - System Checkpoint
RP222: 8/18/2011 11:51:27 AM - Installed HiJackThis
.
==== Installed Programs ======================
.
µTorrent
32 Bit HP CIO Components Installer
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Ask Toolbar
AudioCommander
AuthenTec Fingerprint Sensor Minimum Install
B110
Bonjour
Broadcom Gigabit Integrated Controller
BufferChm
ColorWhiz 2.1
Conduit Engine
Core FTP LE 2.1
Coupon Printer for Windows
Destinations
DeviceDiscovery
Dulux MyColour4
FileZilla Client 3.5.0
Free Video to Flash Converter version 4.5
GMATPrep(TM)
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService2
HDAUDIO Soft Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB888111
HiJackThis
HP Customer Participation Program 14.0
HP Imaging Device Functions 14.0
HP Photo Creations
HP Photosmart Wireless B110 All-In-One Driver Software 14.0 Rel. 7
HP Smart Web Printing 4.60
HP Solution Center 14.0
HP Update
HPAppStudio
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
IrfanView (remove only)
Jamboree_Test_Series
Java Auto Updater
Java(TM) 6 Update 20
jEdit 4.3.2
K-Lite Mega Codec Pack 1.43
Kaspersky Anti-Virus 2011
Launch Manager
Malwarebytes' Anti-Malware version 1.51.1.1800
MarketResearch
MBlaze UI
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Default Manager
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.20)
MSN Toolbar
MSN Toolbar Platform
MSXML 6.0 Parser (KB933579)
Nero 7 Essentials
Network
PowerDVD
PS_AIO_07_B110_SW_Min
QuickTime
QuickTransfer
Realtek High Definition Audio Driver
Safari
Scan
Shop for HP Supplies
Skype™ 4.0
SmartWebPrinting
SolutionCenter
Status
Synaptics Pointing Device Driver
Tata Photon+
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Toolbox
TrayApp
Uninstall 1.0.0.1
Unity Web Player
uTorrentBar Toolbar
VideoLAN VLC media player 0.8.5
vtigercrm-5.2.1
WampServer 2.0
WebEx
WebFldrs XP
WebReg
WIDCOMM Bluetooth Software
Winamp3 (remove only)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live ID Sign-in Assistant
Windows Media Format Runtime
WinRAR archiver
WinZip
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
8/17/2011 12:28:19 AM, error: Srv [2000] - The server's call to a system service failed unexpectedly.
8/15/2011 5:49:00 PM, error: Dhcp [1002] - The IP address lease 192.168.2.100 for the Network Card with network address 001F3C95246B has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
8/14/2011 6:47:02 PM, error: Dhcp [1002] - The IP address lease 192.168.2.103 for the Network Card with network address 001F3C95246B has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
8/13/2011 3:26:13 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3C95246B. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/11/2011 6:42:31 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
.
==== End Of File ===========================

 

[Bobbye]

Welcome to TechSpot! I'll help you clean the system.

You shouldn't be surprised at having malware. Your extensive use of browser helper objects (BHO) makes you a sitting duck for malware. It would help me to know what the 'issues' you are experiencing other than the mail problem. We may find malware but if may be unrelated to the email problem. And if you use a web-based email such as Hotmail or Yahoo, the account could have been hacked from the internet.
=====================================
Please uninstall the following:

µTorrent
uTorrentBar Toolbar
Ask Toolbar
Conduit Engine
Coupon Printer for Windows

After uninstalling them, use Windows Explorer (Right click on Stsrt> Explore)> go to My Computer> Double click on Local Drive(C)> Programs> find the program folders for each of the above and do a right click> Delete on each
Then close W/E.
================================================
The following are both out of date. They are vulnerabilities to the system. Please update both:
Adobe Acrobat 7.0 Professional: Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
Adobe Acrobat 7.1.0 Professional
Java(TM) 6 Update 20: .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system
Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
==============================================
You will have malware in the Java cache so it needs to be emptied:
To clear the Java Plug-in cache:

• 
  [1]. Click Start > Control Panel.
  [2]. Double-click the Java icon in the control panel.
  
  The Java Control Panel appears.
  
  
  
  [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
  
  
  
  [4] Click Delete Files.The Delete Temporary Files dialog box appears.
  
  
  
  [5]. Click OK on Delete Temporary Files window.
  Note: This deletes all the Downloaded Applications and Applets from the cache.
  [6]. Click Apply> OK on Temporary Files Settings window.

Images courtesy java.com
===============================================
When finished, I'd like you to run Combofix. Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

Please leave the Combofix logs in our next reply, along with description of any other malware related problems.
==============================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[dcb1]

Dear Bobbye,

Thank you so much for your time and the wonderful step by step explanation. I performed all the procedures as prescribed.

Please find below my combofix log
----------------------------------------------------------------------

ComboFix 11-08-18.03 - Administrator 08/19/2011 11:03:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1319 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\Desktop\bh transfer\Appu Backup\D Drive backup\New Folder\My Documents\Nishi VM\doc pics\Ergonomics\Desktop_.ini
c:\documents and settings\Administrator\Desktop\bh transfer\Appu Backup\D Drive backup\New Folder\My Documents\Nishi VM\doc pics\South Ex\Desktop_.ini
c:\documents and settings\Administrator\My Documents\~WRL0762.tmp
c:\documents and settings\Administrator\My Documents\~WRL1569.tmp
c:\documents and settings\Administrator\My Documents\~WRL2641.tmp
c:\documents and settings\Administrator\My Documents\~WRL4033.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 05:06 . 2011-08-19 05:06 -------- d-----w- c:\program files\Common Files\Java
2011-08-19 05:06 . 2011-08-19 05:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-18 06:37 . 2011-08-18 06:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-18 06:37 . 2011-07-06 14:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-18 06:37 . 2011-08-18 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-18 06:37 . 2011-08-18 06:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-18 06:37 . 2011-07-06 14:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 06:21 . 2011-08-18 06:21 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-18 06:21 . 2011-08-18 06:21 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-19 05:05 . 2010-05-25 02:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-08 06:42 . 2011-07-08 06:42 0 ---ha-w- c:\documents and settings\Administrator\Local Settings\Application Data\BIT80.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-28 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-06-02 102400]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-06-02 858632]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"WinampAgent"="c:\program files\Winamp3\winampa.exe" [2002-07-23 12288]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-26 352976]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 118784]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\vtigercrm-5.2.1\\apache\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 5:43 PM 11352]
R2 UDisk Monitor;UDisk Monitor;c:\program files\MBlaze UI\bin\MonServiceUDisk.exe [10/26/2010 8:09 AM 512000]
R2 vtigercrmApache521;vtigercrmApache521;c:\program files\vtigercrm-5.2.1\apache\bin\Apache.exe [5/8/2009 8:11 PM 20541]
R2 vtigercrmMysql521;vtigercrmMysql521;"c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt" "--defaults-file=c:\program files\vtigercrm-5.2.1\mysql\my.ini" vtigercrmMysql521 --> c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 32856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2010 1:05 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2010 1:05 PM 135664]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [11/23/2010 10:53 AM 100736]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [8/18/2011 12:07 PM 41272]
S3 MemAccDrv32;MemAccDrv32;\??\f:\install\Drivers\MemAccDrv32.sys --> f:\install\Drivers\MemAccDrv32.sys [?]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [10/26/2010 8:09 AM 104704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 07:35]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 07:35]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1078145449-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 04:53]
.
2011-08-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1078145449-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 04:53]
.
2011-07-10 c:\windows\Tasks\vtigerCRM Email Reminder.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\modules\Calendar\SendReminder.bat [2006-08-10 14:04]
.
2011-08-19 c:\windows\Tasks\vtigerCRM Notification Scheduler.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\intimateTaskStatus.bat [2007-04-13 15:21]
.
2011-07-09 c:\windows\Tasks\vtigerCRM Recurring Invoice.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\modules\SalesOrder\RecurringInvoiceCron.bat [2009-06-03 06:44]
.
2011-08-19 c:\windows\Tasks\vtigerCRM WorkFlow.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\modules\com_vtiger_workflow\com_vtiger_workflow.bat [2009-06-03 06:44]
.
2011-08-16 c:\windows\Tasks\WebReg HP Photosmart B110 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-11-17 18:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://in.yahoo.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/done
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - d:\office~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 202.56.215.54 202.56.215.55
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\llefuk5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://in.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://in.search.yahoo.com/search?fr=ffds1&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-NWEReboot - (no file)
AddRemove-UnityWebPlayer - c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-19 11:22
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vtigercrmMysql521]
"ImagePath"="\"c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt\" \"--defaults-file=c:\program files\vtigercrm-5.2.1\mysql\my.ini\" vtigercrmMysql521"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4664)
c:\windows\system32\btmmhook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\igfxext.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-08-19 11:25:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-19 05:55
.
Pre-Run: 55,632,650,240 bytes free
Post-Run: 56,471,322,624 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - F3FB1A5CDB27CA5B150B253A5CDA4155

 

[Bobbye]

The Adobe Reader link was missing an attribute for the link. I corrected it so if you have not updated this program, please use the link to do it now.

A minor correction for you in case it comes up in th future> regarding this "Then my mails in outlook explorer">>> you are using Outlook which is part of MS Office. Another separate email client is Outlook Express. There is no 'outlook explorer.'
=========================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

KillAll::
File::
c:\documents and settings\Administrator\Local Settings\Application Data\BIT80.tmp
DDS::
uURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [WinampAgent] "c:\program files\winamp3\winampa.exe"
mRun: [NWEReboot]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
The following are all listed as Scheduled Tasks meaning they run whenever you scheduled them to do whatever it is they do. It looks like some may be related to a work email system. But do you need these to be 'scheduled' to do something such as auto-update or whatever they do? If not, I suggest that you remove them from the schedule. All were set up several years ago:
1. c:\windows\Tasks\vtigerCRM Email Reminder.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\modules\Calendar\SendReminder.bat [2006-08-10 14:04]
2. c:\windows\Tasks\vtigerCRM Notification Scheduler.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\intimateTaskStatus.bat [2007-04-13 15:21]
3. c:\windows\Tasks\vtigerCRM Recurring Invoice.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\modules\SalesOrder\RecurringInvoiceCron. bat [2009-06-03 06:44]
4. c:\windows\Tasks\vtigerCRM WorkFlow.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\modules\com_vtiger_workflow\com_vtiger_w orkflow.bat [2009-06-03 06:44]
5. c:\windows\Tasks\WebReg HP Photosmart B110 series.job You do not need to check this for any updates
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-11-17 18:59]

Scheduled Tasks
Most of these found are usually auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.
Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
To change the settings for a task: right-click the Task> click Properties> do any of the following:

1. To change the schedule for the task, click the Schedule tab.
2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
3. To delete a task> right-click the task> click Delete.
4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

Maintenance Scheduled Tasks such as defrag are in a separate category.

 

[dcb1]

Combofix logs

Dear Friend,

I am really thankful to you for your detailed analysis and such detailed guidance. Your help is truly invaluable.

Please find below my latest combofix log after I ran the script.

----------------------------------------------------------------------------------------------------------------------------
ComboFix 11-08-24.04 - Administrator 08/25/2011 0:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1346 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\My Documents\Downloads\CFScript.txt
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
FILE ::
"c:\documents and settings\Administrator\Local Settings\Application Data\BIT80.tmp"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2011-08-24 18:45 . 2011-08-24 18:45 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-08-24 18:45 . 2011-08-24 18:45 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-08-24 18:45 . 2011-08-24 18:45 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-08-24 18:45 . 2011-08-24 18:45 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-08-19 05:06 . 2011-08-19 05:06 -------- d-----w- c:\program files\Common Files\Java
2011-08-19 05:06 . 2011-08-19 05:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-08-18 06:37 . 2011-08-18 06:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-18 06:37 . 2011-07-06 14:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-18 06:37 . 2011-08-18 06:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-18 06:37 . 2011-08-18 06:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-18 06:37 . 2011-07-06 14:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-18 06:21 . 2011-08-18 06:21 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-08-18 06:21 . 2011-08-18 06:21 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-19 05:05 . 2010-05-25 02:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-08 06:42 . 2011-07-08 06:42 0 ---ha-w- c:\documents and settings\Administrator\Local Settings\Application Data\BIT80.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-26 4351216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-28 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-06-02 102400]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-06-02 858632]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-26 352976]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\QTTask.exe" [2010-11-29 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0357.1\mswinext.exe" [2009-11-16 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-28 25214]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 118784]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\vtigercrm-5.2.1\\apache\\bin\\Apache.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Office 2007\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 5:43 PM 11352]
R2 UDisk Monitor;UDisk Monitor;c:\program files\MBlaze UI\bin\MonServiceUDisk.exe [10/26/2010 8:09 AM 512000]
R2 vtigercrmApache521;vtigercrmApache521;c:\program files\vtigercrm-5.2.1\apache\bin\Apache.exe [5/8/2009 8:11 PM 20541]
R2 vtigercrmMysql521;vtigercrmMysql521;"c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt" "--defaults-file=c:\program files\vtigercrm-5.2.1\mysql\my.ini" vtigercrmMysql521 --> c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 32856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2010 1:05 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2010 1:05 PM 135664]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [11/23/2010 10:53 AM 100736]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
S3 MemAccDrv32;MemAccDrv32;\??\f:\install\Drivers\MemAccDrv32.sys --> f:\install\Drivers\MemAccDrv32.sys [?]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [10/26/2010 8:09 AM 104704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 07:35]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 07:35]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1078145449-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 04:53]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1078145449-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 04:53]
.
2011-08-23 c:\windows\Tasks\vtigerCRM Email Reminder.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\modules\Calendar\SendReminder.bat [2006-08-10 14:04]
.
2011-08-24 c:\windows\Tasks\vtigerCRM Notification Scheduler.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\intimateTaskStatus.bat [2007-04-13 15:21]
.
2011-07-09 c:\windows\Tasks\vtigerCRM Recurring Invoice.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\modules\SalesOrder\RecurringInvoiceCron.bat [2009-06-03 06:44]
.
2011-08-24 c:\windows\Tasks\vtigerCRM WorkFlow.job
- c:\program files\vtigercrm-5.2.1\apache\htdocs\vtigerCRM\cron\modules\com_vtiger_workflow\com_vtiger_workflow.bat [2009-06-03 06:44]
.
2011-08-23 c:\windows\Tasks\WebReg HP Photosmart B110 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2009-11-17 18:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://in.yahoo.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/done
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\office~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\llefuk5k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://in.search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://in.search.yahoo.com/search?fr=ffds1&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-25 03:13
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vtigercrmMysql521]
"ImagePath"="\"c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt\" \"--defaults-file=c:\program files\vtigercrm-5.2.1\mysql\my.ini\" vtigercrmMysql521"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1496)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(5896)
c:\windows\system32\btmmhook.dll
c:\program files\WIDCOMM\Bluetooth Software\btkeyind.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\windows\system32\igfxext.exe
c:\docume~1\ADMINI~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2011-08-25 03:18:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-24 21:48
ComboFix2.txt 2011-08-19 05:55
.
Pre-Run: 56,375,484,416 bytes free
Post-Run: 56,403,386,368 bytes free
.
- - End Of File - - C1A88B8E5D79562D431E1548E2A43916

 

[Bobbye]

I am glad to help. Thank you for your kind words.

Help me out with this please: Is this for you work? vtigerCRM
You have added many scheduled tasks with this, plus drivers are running
This appears to be some type of Open Source Customer Portal.
And I am also seeing this entry:
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vtigercrmMysql521]
"ImagePath"="\"c:\program files\vtigercrm-5.2.1\mysql\bin\mysqld-nt\" \"--defaults-file=c:\program files\vtigercrm-5.2.1\mysql\my.ini\" vtigercrmMysql521"
================================
I had this in the script, but it's either back again or didn't remove: Tell me about it:
c:\documents and settings\Administrator\Local Settings\Application Data\BIT80.tmp

It appears to be this: Bit-80.CoM - P2P To HTTP System

 

[dcb1]

Hi,

vtigerCRM is an open source CRM solution based on Sugar CRM. I installed this as I was exploring some means to develop a CRM solution. If you feel it is important to remove it, then I can do it.

Further I have no idea about the bit80.tmp. I posted the log just after running the custom script you provided. What should I do? Should I delete it manually?

Regards

 

[Bobbye]

If you use and need the CRM features, leave it. If now, it should be uinstalled and enries removed.

Another question> do you know what this is for?
S3 MemAccDrv32;MemAccDrv32;\??\f:\install\Drivers\MemAccDrv32.sys --> f:\install\Drivers\MemAccDrv32.sys [?]

There is no safe site for me to use to ID it.
========================================
Let's check your security- all I see if the Kaspersky AV and that is not enough:
Download Security Check by screen317 from one of these links:
Link1
Link 2

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==============================================
Are you still having any malware issues?

 

[dcb1]

Dear Bobbye,

F Drive is the Cd Rom drive for my PC. I really do not know why it showed
S3 MemAccDrv32;MemAccDrv32;\??\f:\install\Drivers\MemAccDrv32.sys --> f:\install\Drivers\MemAccDrv32.sys [?]

As suggested I will also uninstall vtiger CRM.

Please find below my checkup.txt log
----------------------------------------------------------------------
Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Kaspersky Anti-Virus 2011
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 26
Flash Player Out of Date!
Adobe Flash Player 10.2.152.32
Mozilla Firefox (3.6.21) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Kaspersky Lab Kaspersky Anti-Virus 2011 avp.exe
Kaspersky Lab Kaspersky Anti-Virus 2011 klwtblfs.exe
``````````End of Log````````````

 

[Bobbye]

F Drive is the Cd Rom drive for my PC. I really do not know why it showed
S3 MemAccDrv32;MemAccDrv32;\??\f:\install\Drivers\MemAccDrv32.sys --> f:\install\Drivers\MemAccDrv32.sys

See if there is a CD in the Drive.
====================================
Yes, I would like you to do a manual delete on the following:
c:\documents and settings\Administrator\Local Settings\Application Data\BIT80.tmp
Show Hidden Folders/Files
Open Windows Explorer: Right click on Start> Explore>

• Open My Computer.
  [*] Go to Tools > Folder Options.
  [*] Select the View tab.
  [*] Scroll down to Hidden files and folders.
  [*] Select Show hidden files and folders.
  [*] Uncheck Hide extensions of known file types.
  [*] Uncheck Hide protected operating system files (Recommended).
  [*] Click Yes when prompted.
  [*] Click OK.
  [*] Click on Search> Choose 'All Files & Folders> Search In> Choose the Local Drive.
  [*]Type in tmp> Enter> look for Bit80.tmp > Make sure it's located in the Docs. & Settings folder for the Administrator> do a right click> Delete if found..

Exit Windows Explorer.

Reset Hidden/System Files & Folders
========================================
Please update the Adobe Reader to v10: Adobe Reader site . Uninstall any earlier updates (v7) as they are vulnerabilities.