Virus on PC

[r0adrunner]

PC: Compaq

OS: Windows XP Professional

 

Since Wednesday evening it appears that my PC has been infected with a virus.

 

I got a message from Windows that Worm.Win32.NetSky has been detected on my PC. McAfee also detected a virus.

 

So far the symptoms have been:

 

- desktop background has changed;

- installation of "Internet Security 2010" on PC;

- automatic connection to broadband line before I have opened Internet Explorer (IE);

- having to re-enter usernames and passdwords on sites, usually messageboards, i use regularly and on which I have u/n and p/w saved;

- IE sometimes not going to different sites I click on from google search results.

 

I scanned the PC using McAfee and SuperAntiSpyware. The former detected infections and removed them and the latter also detected infections, inc. Internet Security 2010, and removed them but without success and the problems remain.

 

I should add that I bought the PC secondhand from a shop 10 months ago and it works very well, although it did not come with disks for the software.

 

I would be grateful for any help.

 

I have been advised to use Kasperesky or NOD32 instead of McAfee and also to stop using IE because it is unstable and use Mozila or Opera instead. Is this good advice?

 

Many thanks. Much appreciated.

[RandyL]

Was Internet Security 2010 removed?

Is your desktop still wrong?

[r0adrunner]

No, it wasn't removed.

 

I can use desktop, but the background remains different to what it used to be (and the internet is connected automatically now, unlike before when I had to click on the browser icon).

 

The most extreme symptom is clicking on results from google searches. The hardly ever take me to the result address.

[RandyL]

For now follow this guide please.

 

Your computer appears to be infected with Malware. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

 

It is in your best interest to note the following:

1. Please disable your resident security applications (such as AVG, Spybot, WinPatrol, etc.) before performing the below procedure so that they do not interfere with the process.
   
2. Perform all the steps in the order listed to avoid any conflicts.
   
3. If unsure, please stop and voice your doubts.
   
4. You might be required to go offline during the disinfection process. Therefore, it is recommended to print off the instructions below for ease of reference.
   

If you stick to the above guidelines, all should go smoothly.

 

 

 

================================================

STEP 1

1. Download ATF-Cleaner by Atribune.
   
2. Save the file to your Desktop.
   
3. Double-click on the file to run the program.
   
4. On the Main tab, check the Select All button.
   
5. Next, click on the Firefox tab (if applicable) and check the Select All button.
    
   Note: If you would like to preserve your saved passwords in Firefox, then click No at the corresponding prompt.
   
6. Now, click on the Opera tab (if applicable) and check the Select All button.
    
   Note: If you would like to preserve your saved passwords in Opera, then click No at the corresponding prompt.
   
7. Press the Empty Selected button and click OK to acknowledge the corresponding prompt.
   
8. Click on the Exit button to quit the program.
   

================================================

STEP 2

1. Please click here to download Malwarebytes' Anti-Malware.
   
2. Save the file to your Desktop.
   
3. Double-click mbam-setup.exe and follow the prompts to install the program.
   
4. At the end, make sure a check mark is placed next to:
   1. 
      
   2. Update Malwarebytes' Anti-Malware
      
   3. Launch Malwarebytes' Anti-Malware
      

[*]Click Finish.

[*]The program will download and update itself if it finds the necessity to do so. Please allow this.

[*]Once the program has loaded, select Perform full scan, then click Scan.

 

 

Note: Depending on your computer specifications, the scan may take some time to complete. Please wait patiently and do not interrupt the process.

[*]When the scan is complete, click OK, and then Show Results to view the results.

[*]Make sure that every entry is selected, and click Remove Selected.

[*]Restart your computer.

================================================

STEP 3

1. Please click here to download SUPERAntiSpyware (Free Version).
   
2. Save the file to your Desktop.
   
3. Double-click SUPERAntiSpyware.exe and follow the prompts to install the program.
   
4. Open SUPERAntiSpyware.
   
5. Under Configuration and Preferences, click the Preferences button.
   
6. Click the Scanning Control tab.
   
7. Under Scanner Options make sure the following fields checked:

   [*]Click the Close button to leave the control center screen.

   [*]On the main screen, under Scan for Harmful Software click Scan your computer.

   [*]On the left, make sure you check mark All the Fixed Drives.

   [*]On the right, under Complete Scan, choose Perform Complete Scan.

   [*]Click Next to start the scan. Please be patient while it scans your computer.

   [*]After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.

   [*]Make sure every entry has a check mark next to it and click Next.

   [*]A notification will appear that Quarantine and Removal is Complete. Click OK and then Finish to return to the main menu.

   [*]Restart your computer.

   ================================================

   STEP 4
   1. Please visit the ESET Online Scanner, using Internet Explorer to initiate the scan.
       
      Note: If you are running Windows Vista, then you will need Administrative privileges to complete the latter part of the procedure. To do so, right-click on the Internet Explorer icon in the Start Menu and select the Run As Administrator option in the shell context menu.
      
   2. Check mark the YES, I accept the Terms of Use box.
      
   3. Click the Start button.
      
   4. Click the Install button on the following screen.
      
   5. Click Start. This will will initialize and update the scanner engine.
      
   6. Check mark the box beside Remove found threats.
      
   7. Click the Scan button. This will start the scan. Please be patient while it is in progress.
      
   8. Restart your computer.
      

   ================================================

   STEP 5
   1. Click on Start > Programs > Accessories > System Tools and select System Restore.
      
   2. Choose the radio button marked Create a Restore Point on the first screen and click Next. Give the restore point a name then click Create. The new point will be stamped with the current date and time. Keep a note of this so you can find it easily should you need to use System Restore.
      
   3. Next, click on Start > Run, type Cleanmgr and click on OK.
      
   4. Click on the More Options tab.
      
   5. Click the Clean Up button in the System Restore section to remove all previous restore points except the most recent one.
      

   This will remove any infected files that have been backed up by Windows. The files in "System Restore" are protected to prevent any programs changing those files. This is the only foolproof way to ensure the deletion of those files.

    

   Note: Do not clear restore points on a regular basis as doing so will clear all previous restore points even those that you may need. System Restore is a useful tool to revert your computer back to a working condition if something goes wrong.

    

   Re-enable all your security applications and please return here and tell us how the computer seems to be operating.

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining

[r0adrunner]

Thank you.

 

Before I begin can you tell me how I disable my resident security applications? I appear to only have McAfee and SuperAnti Spyware.

[RandyL]

Open the Mcafee Security Center. In mine I select Computer and files. Then configure.

 

However I've never had a problem with running those scans with Mcafee running.

[r0adrunner]

I completed steps 1 to 4 successfully (I even noticed step 4 identified the Win32 worm) but when I reached step 5 I got the following message, "System Restore has been turned off by group policy. To turn on System Restore, contact your domain Administrator," after I clicked on System Restore from the System Tools menu.

 

Two things remains unchanged, the computer connects automatically to the Internet before I click on the browser's icon - although the IE window does not open - and the desk top remains on the "warning" colour (I found this out by entering the Desk Top menu from the Control Panel).

 

Can you advise, please.

 

Many thanks for your help, it is very much appreciated.

[RandyL]

Try the instructions here to turn on system restore. System Restore Group Policy restrictions Since you're using XP Pro use those instructions in the lower part.

 

Unless you're using dialup you should be connected as soon as you bootup.

 

the desk top remains on the "warning" colour (I found this out by entering the Desk Top menu from the Control Panel).

I'm unclear as to what you mean by desktop and "warning" colour or "Desk Top menu".

[r0adrunner]

I followed those instructions but all I received after clicking on "systems restore" from the System tools sub-menu is a dialogue box which says: "System Restore has been turned off. Do you want to turn on System restore now? Yes or No."

 

Any further help would be very welcome. Thanks.

[RandyL]

Did you select "Yes"? If so then it should be on now, correct?

[r0adrunner]

Yes and I was able to complete step 5. Thank you.

 

I have a Windows Installer dialouge box appearing every time I switch on the computer saying "preparing to install". It then requests to insert a disk to install. After clicking on Cancel, two Solution Centre dialouge boxes appear which I have to cancel. How can I stop these appearing?

 

Thank you.

[chiaz]

It's likely to be leftovers from something that you previously tried to install.

 

 

Let's have you download ComboFix.exe now. Please visit this webpage for downloading and instructions for running the tool:

 

Go here ======> A guide and tutorial on using ComboFix <====== Go here

 

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should get a prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

 

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

(2) Click Yes to allow ComboFix to continue scanning for malware.

 

When the tool is finished, it will produce a report for you.

 

 

Please include C:\ComboFix.txt for further review, so that we may continue cleansing the system.

 

 

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

Edited March 16, 2010 by chiaz

[r0adrunner]

Thanks for the advice. I will try it and report back on how it goes.

 

I noticed that a couple of group messages have been sent (unknowingly to me) from my hotmail account to some of my contacts. Do you know why this happens and how I can prevent it? Many thanks.

[chiaz]

This account hijacking issue is due to malware.

[r0adrunner]

I see. I performed a full scan using the Malwarebytes' Anti-Malware program but it did not detect any infections.

 

Can you advise what to do? Thanks.

[chiaz]

Read my reply here:

http://extremetechsupport.com/forum/malware-infection-removal/8981-virus-pc.html#post64148

 

Thanks.

[r0adrunner]

Thanks.

 

How do I Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, as suggested above?

[chiaz]

This guide should help you:

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

[r0adrunner]

Hello again.

 

I scanned my PC using ComboFix and it produced a report which is reproduced below.

 

I await further instruction. Thank you.

 

ComboFix 10-09-03.02 - Administrator 04/09/2010 15:57:05.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1015.662 [GMT 1:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\AutoRun.inf

c:\windows\system32\warning.html

.

((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))

.

2010-08-07 15:28 . 2010-08-07 15:28 0 ----a-w- c:\windows\nsreg.dat

2010-08-07 15:28 . 2010-08-07 15:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-04 14:40 . 2009-05-19 08:14 -------- d-----w- c:\program files\Common Files\McAfee

2010-09-04 14:40 . 2010-01-19 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-04 13:53 . 2009-05-19 08:30 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-09-03 22:26 . 2009-05-16 15:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-09-03 18:21 . 2009-05-16 15:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-09-01 10:20 . 2009-06-20 15:51 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-08-27 09:05 . 2010-01-14 10:47 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-07-26 09:54 . 2009-05-15 19:03 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-26 09:53 . 2010-07-26 09:48 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-07-26 09:48 . 2010-07-26 09:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-06-24 12:15 . 2009-05-07 07:34 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-06-24 12:15 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2008-01-16 05:51 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-16 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-27 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]

"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2002-07-26 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2002-07-26 114688]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]

"GhostStartTrayApp"="c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 94208]

"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]

"EMCKEYBOARD"="c:\program files\EMC\Keyboard Application\1.2\EMCKBAPP.exe" [2005-12-09 376320]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-17 202256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]

KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [14/08/2002 16:11 5632]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05/01/2010 08:56 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 08:56 67656]

S0 jcozyjmg;jcozyjmg; [x]

S2 0181921283611021mcinstcleanup;McAfee Application Installer Cleanup (0181921283611021);c:\docume~1\ADMINI~1\LOCALS~1\Temp\018192~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\018192~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate1ca108c77a411ec;Google Update Service (gupdate1ca108c77a411ec);c:\program files\Google\Update\GoogleUpdate.exe [29/07/2009 21:38 133104]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 08:56 12872]

S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [15/05/2009 17:09 30464]

S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [15/05/2009 17:09 12672]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0181921283611021MCINSTCLEANUP

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 20:37]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 20:37]

2010-09-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-527237240-329068152-682003330-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

2010-09-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-527237240-329068152-682003330-500.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 22:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.tiscali.co.uk/

uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {20B383DE-5205-4113-8C5A-AC4AC2CD08B3} = 212.139.132.11 212.139.132.10

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\77ot5j1l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.tiscali.co.uk/

FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll

FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-09-04 16:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-329068152-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,1f,f3,df,b9,4c,6e,4e,a4,10,85,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,1f,f3,df,b9,4c,6e,4e,a4,10,85,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

.

Completion time: 2010-09-04 16:07:31

ComboFix-quarantined-files.txt 2010-09-04 15:07

Pre-Run: 26,934,611,968 bytes free

Post-Run: 27,596,881,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B4548F36EFFD21E67F8CC550276DE9F2

Edited September 4, 2010 by r0adrunner

[Starbuck]

Hi r0adrunner,

 

Sorry but i'm at a loss here.... why have you posted a CF report after 5 months?

Was the problem still on going?

Why run CF after all this time?

[r0adrunner]

I thought the problem had been resolved by steps 1-4, but it re-emerged, so I completed step 5.

[RandyL]

After all this time it's impossible to determine if this is ongoing or new. I think it would be best to start a new thread. You can link to this thread from the new thread if you wish. I'm afraid it's probably back to square one.

[r0adrunner]

OK, I will open a new thread.

 

Thanks.