Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop drivers dvd email error excel excel 2003 firefox hard drive hardware hdmi hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem processor recovery router safe mode slow sound spyware tdlwsp.dll trojan vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
HP Recovery (In Progress)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Page 3 of 4 12 3 4
 
Thread Tools
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
01-Nov-2009, 04:01 PM #31
Open Notepad and copy and paste the text in the code box below into it:

Code:
http://forums.techguy.org/malware-removal-hijackthis-logs/869099-hp-recovery.html#post7007820

Collect::
c:\windows\system32\urhtps.dat

SRPEEK::
c:\windows\system32\kernel32.dll
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.



**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
__________________
Microsoft MVP - Consumer Security
Register for free to hide this ad!
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
01-Nov-2009, 05:06 PM #32
I created the file and dragged it into Combofix which then did it's thing and finished with a text file confirming that file upload was successful. I didn't copy it at the time thinking I could retrieve it later but now I can't find it.

Here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:59:14, on 01/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: ibb_cust - https://ibusinessbanking1.aib.ie/ibb_cust.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166619393265
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file:///E:/SuperCD/IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{E35DB90B-3ABB-407E-B6DA-F4B1F698467E}: NameServer = 159.134.237.6,159.134.248.17
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
--
End of file - 10298 bytes
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
02-Nov-2009, 06:29 PM #33
Please look for the file at C:\Combofix.txt and copy and paste the contents here.
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
03-Nov-2009, 03:26 AM #34
ComboFix 09-10-30.01 - My Name 01/11/2009 21:35.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.1406.886 [GMT 0:00]
Running from: c:\documents and settings\My Name\Desktop\purple.exe
Command switches used :: c:\documents and settings\My Name\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
file zipped: c:\windows\system32\urhtps.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\urhtps.dat
.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.
2009-10-31 18:12 . 2009-10-31 18:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 17:32 . 2009-10-27 17:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 17:31 . 2009-10-27 17:31 -------- d-----w- c:\documents and settings\My Name\Local Settings\Application Data\Threat Expert
2009-10-27 10:07 . 2009-10-27 10:07 -------- d-----w- c:\documents and settings\My Name\Application Data\ScanSpyware
2009-10-27 10:07 . 2008-09-07 17:22 8704 ----a-w- c:\windows\system32\ssbtsr.exe
2009-10-27 10:07 . 2009-10-27 10:07 -------- d-----w- c:\program files\ScanSpyware
2009-10-21 18:07 . 2009-10-21 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-21 18:07 . 2009-10-31 18:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 18:07 . 2009-10-31 18:13 -------- d-----w- c:\documents and settings\My Name\Application Data\SUPERAntiSpyware.com
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\documents and settings\My Name\Application Data\Malwarebytes
2009-10-20 14:19 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 14:19 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 14:19 . 2009-10-22 08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 08:35 . 2009-10-16 08:35 -------- d-----w- c:\program files\Trend Micro
2009-10-15 23:34 . 2008-04-14 04:41 81920 ------w- c:\windows\system32\ieencode.dll
2009-10-15 21:37 . 2009-10-15 21:37 -------- d-----w- c:\documents and settings\My Name\Application Data\Windows Search
2009-10-15 18:56 . 2009-10-15 18:56 -------- d-----w- c:\documents and settings\My Name\Application Data\Nero
2009-10-15 18:52 . 2009-10-15 18:53 -------- d-----w- c:\program files\Nero
2009-10-15 18:51 . 2009-10-15 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-15 18:51 . 2009-10-15 18:55 -------- d-----w- c:\program files\Common Files\Nero
2009-10-15 17:13 . 2009-10-15 17:13 -------- d-----w- c:\documents and settings\My Name\Tracing
2009-10-15 17:11 . 2009-08-05 21:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-10-15 17:11 . 2009-10-15 17:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-15 17:10 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-15 17:10 . 2009-10-15 17:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-15 17:08 . 2009-10-15 17:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-15 17:07 . 2009-10-15 17:11 -------- d-----w- c:\program files\Windows Live
2009-10-15 16:18 . 2009-10-15 16:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-10-15 16:15 . 2009-10-15 16:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-15 16:14 . 2009-10-15 17:08 -------- d-----w- c:\program files\Microsoft
2009-10-15 16:12 . 2009-10-15 16:12 -------- d-----w- c:\documents and settings\My Name\Application Data\Windows Desktop Search
2009-10-15 16:11 . 2009-10-16 08:11 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-15 16:11 . 2009-10-15 16:11 -------- d-----w- c:\windows\system32\GroupPolicy
2009-10-15 16:10 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-10-15 16:10 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-10-15 16:10 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-10-15 09:25 . 2009-10-15 09:25 -------- d-----w- C:\temp
2009-10-15 09:24 . 2001-08-17 11:19 36992 ----a-w- c:\windows\system32\dllcache\aztw2320.sys
2009-10-15 09:22 . 2001-08-17 12:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-10-15 09:22 . 2001-08-17 11:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-10-15 09:22 . 2001-08-17 13:07 56960 ----a-w- c:\windows\system32\dllcache\aic78xx.sys
2009-10-15 09:22 . 2001-08-17 13:07 55168 ----a-w- c:\windows\system32\dllcache\aic78u2.sys
2009-10-15 09:22 . 2001-08-17 12:52 12800 ----a-w- c:\windows\system32\dllcache\aha154x.sys
2009-10-15 09:20 . 2001-08-17 13:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-10-13 15:29 . 2009-10-13 15:29 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-13 14:26 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-13 14:26 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-13 09:12 . 2009-10-13 09:12 -------- d-sh--w- c:\documents and settings\My Name\IECompatCache
2009-10-13 09:11 . 2009-10-13 09:11 -------- d-sh--w- c:\documents and settings\My Name\PrivacIE
2009-10-13 09:07 . 2009-10-13 09:07 -------- d-sh--w- c:\documents and settings\My Name\IETldCache
2009-10-13 09:05 . 2009-10-13 14:43 -------- d-----w- c:\windows\ie8updates
2009-10-13 09:04 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-13 09:01 . 2009-10-13 09:04 -------- dc-h--w- c:\windows\ie8
2009-10-08 20:19 . 2009-10-08 20:19 -------- d-----w- c:\documents and settings\My Name\Application Data\Elluminate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 21:31 . 2006-02-19 20:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-01 21:25 . 2006-02-19 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-27 21:14 . 2008-01-25 13:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 21:14 . 2008-01-25 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-27 21:07 . 2008-01-25 12:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-27 11:13 . 2006-08-14 12:08 119224 -c--a-w- c:\documents and settings\My Name\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 13:08 . 2009-05-19 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 08:55 . 2006-02-19 19:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 08:54 . 2006-12-07 21:08 -------- d-----w- c:\program files\TreeDraw
2009-10-16 00:58 . 2006-02-19 20:23 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 09:23 . 2007-07-08 14:42 -------- d-----w- c:\program files\Sony
2009-10-12 09:23 . 2007-07-08 14:41 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-07 09:57 . 2009-05-12 08:57 -------- d-----w- c:\program files\SPICERlinkweb Ireland V2.0
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 07:19 . 2008-08-06 20:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 15:27 . 2009-09-06 15:27 -------- d-----w- c:\documents and settings\My Name\Application Data\Roxio
2009-09-06 15:18 . 2009-09-06 15:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-06 15:17 . 2009-09-06 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-09-06 15:04 . 2009-09-06 15:04 -------- d-----w- c:\program files\Roxio
2009-09-06 15:04 . 2009-09-06 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2005-05-26 03:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2006-12-20 13:20 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23 . 2005-05-26 04:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44 . 2004-08-04 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 08:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2003-08-27 13:19 . 2009-09-06 15:18 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2006-09-15 10:58 . 2006-09-15 10:58 22 -csha-w- c:\windows\SMINST\HPCD.sys
2007-06-28 11:49 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfg.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 -csha-w- c:\windows\system32\CdI5T.drv
.
(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP10\A0001137.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003240.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP10\A0001145.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003246.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP10\A0001161.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003260.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP10\A0001170.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003267.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP10\A0001174.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003272.dll
c:\windows\LastGood.Tmp\system32\kernel32.dll [x]
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP1\A0000306.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP1\A0000721.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP10\A0001201.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003294.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\system32\dllcache\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP1\A0000011.dll
[7] B921FB870C9AC0D509B2CCABBBBE95F3 989696 \RP23\A0003298.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 c:\windows\system32\kernel32.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP1\A0000012.dll
[-] 0EFEB8CC84A425F1872707E637030354 993792 \RP23\A0003231.dll
.
------- Sigcheck -------
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\s p3gdr\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\s p3qfe\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 116072]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless Card Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe [2006-6-15 630872]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [15/10/2009 17:11 54752]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [15/06/2006 18:16 17149]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [23/10/2007 08:35 112688]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [22/08/2005 09:06 231424]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30/03/2009 15:28 1533808]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [02/11/2007 20:10 23208]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [02/11/2007 20:10 17448]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [03/02/2007 12:10 17536]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {E35DB90B-3ABB-407E-B6DA-F4B1F698467E} = 159.134.237.6,159.134.248.17
DPF: ibb_cust - hxxps://ibusinessbanking1.aib.ie/ibb_cust.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file:///E:/SuperCD/IntraLaunch.CAB
FF - ProfilePath - c:\documents and settings\My Name\Application Data\Mozilla\Firefox\Profiles\uo0ag0k4.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 21:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-11-01 21:44
ComboFix-quarantined-files.txt 2009-11-01 21:44
ComboFix2.txt 2009-10-31 19:36
Pre-Run: 26,995,658,752 bytes free
Post-Run: 26,971,709,440 bytes free
- - End Of File - - 59424A8283C7796FE5795EFE7B39FC94
Upload was successful
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
04-Nov-2009, 07:46 PM #35
Go to the link below and upload the following file(s) for analysis and post the results please:

http://virusscan.jotti.org/

c:\windows\system32\kernel32.dll
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
05-Nov-2009, 04:10 AM #36
Here is the result of the scan. There is a limit of 20 images per post in this forum so I replaced the Arcavir logo with text (in case you thought it looked unusual).

Are there five different infections in the file or are they different names for the same thing?


Scanners

ARCAVIR 2009-11-04 Found nothing
2009-11-05 Trojan.Patched.EL
2009-11-05 Found nothing
2009-11-05 Found nothing
2009-11-04 Win32:Patched-LH
2009-11-05 Found nothing
2009-11-04 Found nothing
2009-11-04 Win32/Patched.EL
2009-11-04 TR/Patched.GK.1
2009-11-04 Found nothing
2009-11-05 Trojan.Patched.EL
2009-11-04 Found nothing
2009-11-05 Found nothing
2009-11-05 Found nothing
2009-11-05 Found nothing
2009-11-05 Found nothing
2009-11-05 Found nothing
2009-11-04 Found nothing
2009-11-04 Found nothing
2009-11-04 Found nothing
2009-11-05 Found nothing
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
05-Nov-2009, 07:50 PM #37
Various scanners give malware different names but it's the same malware.

Let's have the file examined closer please.

Go to the forum here and upload this (these) file(s):

c:\windows\system32\kernel32.dll

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.
__________________
Microsoft MVP - Consumer Security
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
07-Nov-2009, 12:30 PM #38
Thanks for the upload and it's been confirmed that the file is indeed patched so we've still got some work to do.

Please upload the following file to The SpyKiller as you did the other one. You can add it to the same thread you created there:

c:\windows\system32\wininet.dll

If you haven't already, you should back up any important data, photos, etc. to external media such as CDs or an external hard drive before going any further.

Open Notepad and copy and paste the text in the code box below into it:

Code:
SCOPY::
\RP23\A0003298.dll|c:\kernel32.dll
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe




This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.


Then, once you've done the above, please do the following:

Go to the link below and upload the following file(s) for analysis and post the results please:

http://virusscan.jotti.org/

c:\kernel32.dll
__________________
Microsoft MVP - Consumer Security
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
09-Nov-2009, 05:49 PM #39
Uploaded requested file to Spykiller but had to start a new topic to do it "HP Recovery2".

Followed your instructions with Combofix. Dragged and dropped the file then Combofix started up, recommended update which I accepted but when it started scanning I got a message "PEV.cfxxe has encountered a problem and needs to close.........."

Combofix stopped running until I clicked on "do not send" report on the message then it started its routine "through the stages".

I will do the jotti scan requested now.

Here is the Combofix report:

omboFix 09-11-08.03 - My Name 09/11/2009 22:08.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.1406.895 [GMT 0:00]
Running from: c:\documents and settings\My Name\Desktop\purple.exe
Command switches used :: c:\documents and settings\My Name\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- SCopy ---------------
\RP23\A0003298.dll --> c:\kernel32.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.
2009-11-09 22:08 . 2009-03-21 14:06 989696 ----a-w- C:\kernel32.dll
2009-10-31 18:14 . 2009-10-31 18:14 117760 ----a-w- c:\documents and settings\My Name\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-31 18:12 . 2009-10-31 18:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 17:32 . 2009-10-27 17:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 17:31 . 2009-10-27 17:31 -------- d-----w- c:\documents and settings\My Name\Local Settings\Application Data\Threat Expert
2009-10-27 10:07 . 2009-10-27 10:07 -------- d-----w- c:\documents and settings\My Name\Application Data\ScanSpyware
2009-10-27 10:07 . 2008-09-07 17:22 8704 ----a-w- c:\windows\system32\ssbtsr.exe
2009-10-27 10:07 . 2009-10-27 10:07 -------- d-----w- c:\program files\ScanSpyware
2009-10-21 18:07 . 2009-10-21 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-21 18:07 . 2009-10-31 18:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 18:07 . 2009-10-31 18:13 -------- d-----w- c:\documents and settings\My Name\Application Data\SUPERAntiSpyware.com
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\documents and settings\My Name\Application Data\Malwarebytes
2009-10-20 14:19 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 14:19 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 14:19 . 2009-10-22 08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 08:35 . 2009-10-16 08:35 -------- d-----w- c:\program files\Trend Micro
2009-10-15 23:34 . 2008-04-14 04:41 81920 ------w- c:\windows\system32\ieencode.dll
2009-10-15 21:37 . 2009-10-15 21:37 -------- d-----w- c:\documents and settings\My Name\Application Data\Windows Search
2009-10-15 18:56 . 2009-10-15 18:56 -------- d-----w- c:\documents and settings\My Name\Application Data\Nero
2009-10-15 18:52 . 2009-10-15 18:53 -------- d-----w- c:\program files\Nero
2009-10-15 18:51 . 2009-10-15 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-15 18:51 . 2009-10-15 18:55 -------- d-----w- c:\program files\Common Files\Nero
2009-10-15 17:13 . 2009-10-15 17:13 -------- d-----w- c:\documents and settings\My Name\Tracing
2009-10-15 17:11 . 2009-08-05 21:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-10-15 17:11 . 2009-10-15 17:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-15 17:10 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-15 17:10 . 2009-10-15 17:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-15 17:08 . 2009-10-15 17:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-15 17:07 . 2009-10-15 17:11 -------- d-----w- c:\program files\Windows Live
2009-10-15 16:18 . 2009-10-15 16:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-10-15 16:15 . 2009-10-15 16:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-15 16:14 . 2009-10-15 17:08 -------- d-----w- c:\program files\Microsoft
2009-10-15 16:12 . 2009-10-15 16:12 -------- d-----w- c:\documents and settings\My Name\Application Data\Windows Desktop Search
2009-10-15 16:11 . 2009-10-16 08:11 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-15 16:11 . 2009-10-15 16:11 -------- d-----w- c:\windows\system32\GroupPolicy
2009-10-15 16:10 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-10-15 16:10 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-10-15 16:10 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-10-15 09:25 . 2009-10-15 09:25 -------- d-----w- C:\temp
2009-10-15 09:24 . 2001-08-17 11:19 36992 ----a-w- c:\windows\system32\dllcache\aztw2320.sys
2009-10-15 09:22 . 2001-08-17 12:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-10-15 09:22 . 2001-08-17 11:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-10-15 09:22 . 2001-08-17 13:07 56960 ----a-w- c:\windows\system32\dllcache\aic78xx.sys
2009-10-15 09:22 . 2001-08-17 13:07 55168 ----a-w- c:\windows\system32\dllcache\aic78u2.sys
2009-10-15 09:22 . 2001-08-17 12:52 12800 ----a-w- c:\windows\system32\dllcache\aha154x.sys
2009-10-15 09:20 . 2001-08-17 13:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-10-13 15:29 . 2009-10-13 15:29 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-13 14:26 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-13 14:26 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-13 09:12 . 2009-10-13 09:12 -------- d-sh--w- c:\documents and settings\My Name\IECompatCache
2009-10-13 09:11 . 2009-10-13 09:11 -------- d-sh--w- c:\documents and settings\My Name\PrivacIE
2009-10-13 09:07 . 2009-10-13 09:07 -------- d-sh--w- c:\documents and settings\My Name\IETldCache
2009-10-13 09:05 . 2009-11-04 23:03 -------- d-----w- c:\windows\ie8updates
2009-10-13 09:04 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-13 09:01 . 2009-10-13 09:04 -------- dc-h--w- c:\windows\ie8
2009-10-12 09:23 . 2009-10-12 09:23 292878 ----a-r- c:\documents and settings\My Name\Application Data\Microsoft\Installer\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}\ARPPRODUCTICON.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 21:59 . 2006-02-19 20:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-09 21:35 . 2006-02-19 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-27 21:14 . 2008-01-25 13:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 21:14 . 2008-01-25 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-27 21:07 . 2008-01-25 12:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-27 11:13 . 2006-08-14 12:08 119224 -c--a-w- c:\documents and settings\My Name\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 13:08 . 2009-05-19 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 08:55 . 2006-02-19 19:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 08:54 . 2006-12-07 21:08 -------- d-----w- c:\program files\TreeDraw
2009-10-16 00:58 . 2006-02-19 20:23 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 09:23 . 2007-07-08 14:42 -------- d-----w- c:\program files\Sony
2009-10-12 09:23 . 2007-07-08 14:41 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-08 20:19 . 2009-10-08 20:19 -------- d-----w- c:\documents and settings\My Name\Application Data\Elluminate
2009-10-07 09:57 . 2009-05-12 08:57 -------- d-----w- c:\program files\SPICERlinkweb Ireland V2.0
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-06 15:18 . 2009-09-06 15:18 3638 ----a-r- c:\documents and settings\My Name\Application Data\Microsoft\Installer\{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}\KK.exe
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2003-08-27 13:19 . 2009-09-06 15:18 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2006-09-15 10:58 . 2006-09-15 10:58 22 -csha-w- c:\windows\SMINST\HPCD.sys
2007-06-28 11:49 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfg.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 -csha-w- c:\windows\system32\CdI5T.drv
.
------- Sigcheck -------
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\s p3gdr\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\s p3qfe\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-31_19.29.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-04 23:03 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-04 23:03 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2004-08-04 08:00 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2006-07-28 11:28 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-04 23:03 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 116072]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless Card Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe [2006-6-15 630872]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [15/10/2009 17:11 54752]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30/03/2009 15:28 1533808]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [15/06/2006 18:16 17149]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [23/10/2007 08:35 112688]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [22/08/2005 09:06 231424]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [02/11/2007 20:10 23208]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [02/11/2007 20:10 17448]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [03/02/2007 12:10 17536]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {E35DB90B-3ABB-407E-B6DA-F4B1F698467E} = 159.134.237.6,159.134.248.17
DPF: ibb_cust - hxxps://ibusinessbanking1.aib.ie/ibb_cust.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file:///E:/SuperCD/IntraLaunch.CAB
FF - ProfilePath - c:\documents and settings\My Name\Application Data\Mozilla\Firefox\Profiles\uo0ag0k4.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 22:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3680)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-09 22:18
ComboFix-quarantined-files.txt 2009-11-09 22:18
ComboFix2.txt 2009-11-01 21:45
ComboFix3.txt 2009-10-31 19:36
Pre-Run: 26,378,747,904 bytes free
Post-Run: 26,504,667,136 bytes free
- - End Of File - - 970C8496AD235B102DBCB24998CF5C28
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
09-Nov-2009, 05:56 PM #40
Scanners

Arcavir 2009-11-09 Found nothing
2009-11-09 Trojan.Patched.EL
2009-11-09 Virus.Win32.Alvabrig!IK
2009-11-09 Virus.Win32.Alvabrig
2009-11-09 Win32:Patched-LH
2009-11-09 Found nothing
2009-11-09 Found nothing
2009-11-09 Win32/Patched.EL
2009-11-09 TR/Patched.GK.1
2009-11-09 Found nothing
2009-11-09 Trojan.Patched.EL
2009-11-09 Found nothing
2009-11-09 Found nothing
2009-11-06 Found nothing
2009-11-09 Found nothing
2009-11-09 Mal/Generic-A
2009-11-09 Found nothing
2009-11-09 Found nothing
2009-11-09 Found nothing
2009-11-09 Found nothing
2009-11-09 Found nothing
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
09-Nov-2009, 05:59 PM #41
Here is the latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:57:31, on 09/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\outlook express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eircom.net
O16 - DPF: ibb_cust - https://ibusinessbanking1.aib.ie/ibb_cust.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166619393265
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file:///E:/SuperCD/IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{E35DB90B-3ABB-407E-B6DA-F4B1F698467E}: NameServer = 159.134.237.6,159.134.248.17
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
--
End of file - 10579 bytes
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
09-Nov-2009, 07:37 PM #42
Thank you for all the uploads as they are helpful but I need you to do one more please. It looks like the clean copy of the file we found may have been reinfected.

Please upload the following file from this location (not the one in System32) to The SpyKiller for closer examination as well.

C:\kernel32.dll
__________________
Microsoft MVP - Consumer Security
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
10-Nov-2009, 03:34 AM #43
C:\kernel32.dll uploaded to HP Recovery2
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
11-Nov-2009, 04:23 AM #44
Hi,

Would it be helpful or unhelpful to download and run Avast or NOD32 at this stage?

Does the fact that they can identify an alien presence mean that they can remove it successfully?
Cookiegal's Avatar
Administrator with 63,628 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
11-Nov-2009, 06:17 PM #45
Quote:
Originally Posted by Tacpot View Post
Hi,

Would it be helpful or unhelpful to download and run Avast or NOD32 at this stage?

Does the fact that they can identify an alien presence mean that they can remove it successfully?
No, it's best not to install any new programs for the time being.

It turns out the last two files you uploaded to The SpyKiller are clean so that's good news.

We are going to use the Recovery Console to copy the clean version of the kernel32.dll file that we recovered over to replace all of the ones that are infected.

Please print these instructions as you will not be able to read them from the recovery console.

Also, this is a vital system file so there's always a chance that if something goes wrong the system will not be bootable and the operating system may have to be repaired or possibly reloaded (reformat). As I believe I mentioned this earlier in this thread, you need to be sure you have all important data, photos, music, emails, etc. backed up to some external media so that you would not lose them in the event of such a failure.

I'm attaching a text file called fixkernel.txt to this post. Open it in Notepad and save it to your C: root with the same name fixkernel.txt, so the file will be located at C:\fixkernel.txt. This is very important as we are going to run a batch command that will read from this text file.

If you don't understand the instructions and/or you don't see the file you saved at C:\fixkernel.txt please let me know before going any further.

Now, restart your computer and select the Recovery Console from the options menu. You will likely be prompted to enter the administrator password so please do so. If there isn't one just hit Enter.

You should be presented with a command prompt that look like this:

C:\Windows>

If it doesn't look like that, please do not proceed any further and report back to me what the command prompt is showing. You can type "exit" without the quotes to exit the recovery console and boot back to windows.

If you have the proper command prompt showing then please type the following command and then press Enter. Take care to type it exactly as written, including the space:

batch fixkernel.txt

Reboot to Windows normally. Let me know how it goes please.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
__________________
Microsoft MVP - Consumer Security
Reply Bookmark and Share
Page 3 of 4 12 3 4

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 07:26 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.