1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can not access Microsoft or Anti Virus sites

Discussion in 'Virus & Other Malware Removal' started by suzeh, May 4, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    My computer seems to be running fine, but when I went to install a new printer, it won't load.
    Contacted their support and they said it was a Microsoft error and I needed to research the error and correct it.
    Guess what? I can't go to any Microsoft sites... Looked a bit further and sure enough I can't get to any anti virus sites either (this is on both my desktop and my laptop if that makes a difference) The logs shown below are from my desktop only.
     

    Attached Files:

  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya suzeh,

    Proceed as follows :-

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop Very important

      Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

      [​IMG]

    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  3. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    Thanks Kevin!
    Here's the log

    ComboFix 11-05-04.02 - Owner 05/04/2011 16:24:21.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.677 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\Gotcha.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\Megan\WINDOWS
    c:\documents and settings\NotAdmin\WINDOWS
    c:\documents and settings\Owner\Recent\Thumbs.db
    c:\documents and settings\Owner\WINDOWS
    c:\program files\Toolbar
    c:\program files\Toolbar\common.dll
    c:\program files\Toolbar\Cursors\cursors.xml
    c:\program files\Toolbar\gykhxlmu.rmr
    c:\program files\Toolbar\IExploreSkins.exe
    c:\program files\Toolbar\newmajorse2.txt
    c:\program files\Toolbar\nzqlihv.wzg
    c:\program files\Toolbar\PIB.exe
    c:\program files\Toolbar\rw.wzg
    c:\program files\Toolbar\Skins\5B177F4D655955BE6B5E4AC571E52995\skin.xml
    c:\program files\Toolbar\Skins\5B177F4D655955BE6B5E4AC571E52995\skin1020x100.bmp
    c:\program files\Toolbar\Skins\5B177F4D655955BE6B5E4AC571E52995\skin1020x135.bmp
    c:\program files\Toolbar\Skins\5B177F4D655955BE6B5E4AC571E52995\skin1020x175.bmp
    c:\program files\Toolbar\Skins\5B177F4D655955BE6B5E4AC571E52995\skin1020x70.bmp
    c:\program files\Toolbar\TBPS.exe
    c:\program files\Toolbar\TBPSSvc.exe
    c:\program files\Toolbar\Update\zwipvbh.wzg
    c:\program files\Toolbar\xlmurin.wzg
    c:\program files\Toolbar\xzxsv.wzg
    c:\program files\Toolbar\yildhvi.olt
    c:\program files\Toolbar\yywr.wzg
    c:\program files\Toolbar\yywsv.wzg
    c:\program files\Toolbar\zwipvbh.wzg
    c:\windows\NDNuninstall6_38.exe
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\ynjnsrjn.dll
    D:\AUTORUN.INF
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_qgsheuoq
    -------\Legacy_zraxho
    -------\Service_qgsheuoq
    -------\Service_zraxho
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-02 12:47 . 2011-05-03 12:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-05-01 16:47 . 2011-05-01 16:47 -------- d-----w- C:\LXKZ600
    2011-05-01 12:23 . 2011-05-01 12:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2011-05-01 02:56 . 2011-05-01 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Temp
    2011-04-05 14:55 . 2011-04-05 14:55 -------- d-----w- c:\program files\Common Files\Java
    2011-04-05 14:44 . 2011-02-03 01:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-04-05 14:44 . 2011-02-03 01:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-22 00:35 . 2010-06-27 01:55 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-05-15 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-05-15 114688]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-24 273544]
    "Conime"="c:\windows\system32\conime.exe" [2004-08-04 27648]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    AutoPlay.exe [2001-9-17 36864]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Norton GoBack.lnk - c:\program files\Norton GoBack\GBTray.exe [2004-8-13 803976]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    AutoPlay.exe [2001-9-17 36864]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo! Games\\Zuma Deluxe\\Zuma.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3786:TCP"= 3786:TCP:tjfbwj
    .
    R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [12/17/2003 5:58 PM 82888]
    S0 mwzj;mwzj;c:\windows\system32\drivers\nini.sys --> c:\windows\system32\drivers\nini.sys [?]
    S2 qgsheuoq;Support Installer;c:\windows\system32\svchost.exe -k netsvcs [8/6/2002 6:02 PM 14336]
    S2 zraxho;Support Security;c:\windows\system32\svchost.exe -k netsvcs [8/6/2002 6:02 PM 14336]
    S3 rlmjdyr;rlmjdyr;\??\c:\windows\system32\016.tmp --> c:\windows\system32\016.tmp [?]
    S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [7/14/2009 3:51 PM 53690]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    qgsheuoq
    zraxho
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-04 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2002-08-06 07:56]
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-04-30 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
    - c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2004-08-26 00:31]
    .
    2011-04-29 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
    - c:\program files\Norton SystemWorks\OBC.exe [2005-03-13 03:57]
    .
    2011-05-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-05-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://srch-us6.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k0vskcty.default\
    FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=&tool_id=60531&qkw=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Owner\Application Data\Move Networks
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-04 16:45
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rlmjdyr]
    "ImagePath"="\??\c:\windows\system32\016.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qgsheuoq]
    "ServiceDll"="c:\windows\system32\ynjnsrjn.dll"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zraxho]
    "ServiceDll"="c:\windows\system32\ynjnsrjn.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3952)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Norton GoBack\GBPoll.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-04 16:55:57 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-04 20:55
    .
    Pre-Run: 27,184,218,112 bytes free
    Post-Run: 28,007,186,432 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 2822A2BACAAFFFAB0A1300783C7A0E9F
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya suzeh,

    Continue as follows :-

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    File::
    c:\windows\system32\ynjnsrjn.dll
    c:\windows\system32\016.tmp
    Driver::
    qgsheuoq
    zraxho
    rlmjdyr
    
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take between one and several hours to complete depending on the size of your system.

    Step 3

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Let me see the logs from Combofix, ESET and Security Checks in next reply, also give update on current issues.

    Kevin
     
  5. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    I got the new ComboFix log for you but I can not get the link to the ESET scan to take me anywhere. I opened up IE for my browser thinking it would be easiest, but it just gives me the "can not be found" error.

    Here is the latest ComboFix Log

    ComboFix 11-05-04.02 - Owner 05/04/2011 19:33:16.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.709 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\Gotcha.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
    .
    FILE ::
    "c:\windows\system32\016.tmp"
    "c:\windows\system32\ynjnsrjn.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_RLMJDYR
    -------\Service_qgsheuoq
    -------\Service_rlmjdyr
    -------\Service_zraxho
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-02 12:47 . 2011-05-03 12:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-05-01 16:47 . 2011-05-01 16:47 -------- d-----w- C:\LXKZ600
    2011-05-01 12:23 . 2011-05-01 12:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2011-05-01 02:56 . 2011-05-01 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Temp
    2011-04-05 14:55 . 2011-04-05 14:55 -------- d-----w- c:\program files\Common Files\Java
    2011-04-05 14:44 . 2011-02-03 01:40 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-04-05 14:44 . 2011-02-03 01:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-22 00:35 . 2010-06-27 01:55 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-05-15 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-05-15 114688]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-24 273544]
    "Conime"="c:\windows\system32\conime.exe" [2004-08-04 27648]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    AutoPlay.exe [2001-9-17 36864]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Norton GoBack.lnk - c:\program files\Norton GoBack\GBTray.exe [2004-8-13 803976]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    AutoPlay.exe [2001-9-17 36864]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo! Games\\Zuma Deluxe\\Zuma.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3786:TCP"= 3786:TCP:tjfbwj
    .
    R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [12/17/2003 5:58 PM 82888]
    S0 mwzj;mwzj;c:\windows\system32\drivers\nini.sys --> c:\windows\system32\drivers\nini.sys [?]
    S2 ievwfzvlz;Image Driver;c:\windows\system32\svchost.exe -k netsvcs [8/6/2002 6:02 PM 14336]
    S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [7/14/2009 3:51 PM 53690]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - IEVWFZVLZ
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ievwfzvlz
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-04 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2002-08-06 07:56]
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-04-30 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
    - c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2004-08-26 00:31]
    .
    2011-04-29 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
    - c:\program files\Norton SystemWorks\OBC.exe [2005-03-13 03:57]
    .
    2011-05-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-05-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://srch-us6.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k0vskcty.default\
    FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=&tool_id=60531&qkw=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Owner\Application Data\Move Networks
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-04 19:55
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ievwfzvlz]
    "ServiceDll"="c:\windows\system32\ynjnsrjn.dll"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(904)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Norton GoBack\GBPoll.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-04 20:03:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-05 00:03
    ComboFix2.txt 2011-05-04 20:55
    .
    Pre-Run: 28,004,646,912 bytes free
    Post-Run: 28,179,591,168 bytes free
    .
    - - End Of File - - CC3EBD963F864E252D125F89FA3E4B6C
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya suzeh,

    Need to re-run Combofix script again, as follows please :-

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    
    Driver::
    mwzj
    ievwfzvlz
    Rootkit::
    c:\windows\system32\drivers\nini.sys
    c:\windows\system32\ynjnsrjn.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "3786:TCP"=-
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Next,

    As you cannot get ESET to run and I do not see a dedicated AV program installed lets install Micosoft Security Essentials:

    To keep safe when online you need a good Antivirus/Antspyware/Antimalware/Anti-Rootkit combination application. Microsoft Security Essentials covers all of those bases, but better still it is free. Go Here and hit the "Download it free today" tab, follow the prompts. Once installed it will want to update and carry out a quick scan, allow that to happen.
    Let me know if MSE finds anything....

    Kevin
     
  7. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    The new cfscript text won't drop into the Combofix icon. :(
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiy suzeh,

    Try CF again with this script, see if this one works.

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    
    File::
    c:\windows\system32\drivers\nini.sys
    c:\windows\system32\ynjnsrjn.dll
    Driver::
    mwzj
    ievwfzvlz
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "3786:TCP"=-
    
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Next,

    Please perform this online scan: F-Secure Online Scanner
    Follow the directions in the F-Secure page for proper Installation.
    • You may receive an alert on the address bar at this point to install the ActiveX control.
    • Click on that alert and then click "Install ActiveX component".
    • Read the license agreement and click "Accept".
    • Click "Full System Scan" to download the scanning components and begin scan and cleaning.
    • When the scan completes, click the "I want to decide item by item" button.
    • For each item found, Select "Disinfect" and click "Next".
    • When done, click the "Show Report" button, then copy and paste the entire report into your next reply.

    Let me see the two logs in your reply....

    Kevin
     
  9. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    The CFScript icon should disappear, correct? And the box that says RUN should not come up on the ComboFix program? It should open on it's own?

    At least that's what I thought it did the first time I dragged the txt file to it.

    If what I said above is correct, then the new script won't work either. :(
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya suzeh,

    Continue as follows please :-

    Please download OTM
    • Save it to your desktop.
    • Please double-click [​IMG] to run it. (Note: If you are running on Vista or Windows 7, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Services
      mwzj
      ievwfzvlz
      :Registry
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
      "3786:TCP"=-
      :Files
      ipconfig /flushdns /c
      c:\windows\system32\drivers\nini.sys
      c:\windows\system32\ynjnsrjn.dll
      :Commands
      [purity]
      [emptytemp]
      [Reboot]
      
    • Return to OTM, right click in the [​IMG] window and choose Paste.
    • Click [​IMG] button.
    • Copy everything in the Results window (under the [​IMG] line) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM and reboot your PC.
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Next,

    Run the online AV scan I gave in my last post, let me see the two logs in your next reply....

    Kevin
     
  11. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    After rebooting a second time I was able to get to the F Scan website.
    Got as far as 'start the full scan' and it failed.
    Now I can't get back to the website to try to run it again.

    UPDATE:After several attempts I can only go as far as 4% (about 900 files) and then it comes up with error id 65. Program is running with insufficient user right to scan all targets for malware & spyware. Restart to try again.

    Here's the OTM log though

    All processes killed
    ========== SERVICES/DRIVERS ==========
    Service mwzj stopped successfully!
    Service mwzj deleted successfully!
    Service ievwfzvlz stopped successfully!
    Service ievwfzvlz deleted successfully!
    Error: Unable to interpret <:Registry> in the current context!
    Error: Unable to interpret <[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]> in the current context!
    Error: Unable to interpret <"3786:TCP"=-> in the current context!
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Documents and Settings\Owner\Desktop\cmd.bat deleted successfully.
    C:\Documents and Settings\Owner\Desktop\cmd.txt deleted successfully.
    File/Folder c:\windows\system32\drivers\nini.sys not found.
    LoadLibrary failed for c:\windows\system32\ynjnsrjn.dll
    File move failed. c:\windows\system32\ynjnsrjn.dll scheduled to be moved on reboot.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 28409320 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 41620 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 95710 bytes

    User: Megan
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 693 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NotAdmin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->FireFox cache emptied: 60332098 bytes
    ->Flash cache emptied: 1919 bytes

    User: Owner
    ->Temp folder emptied: 150948 bytes
    ->Temporary Internet Files folder emptied: 7574124 bytes
    ->Java cache emptied: 90764333 bytes
    ->FireFox cache emptied: 173104002 bytes
    ->Google Chrome cache emptied: 81617302 bytes
    ->Flash cache emptied: 1966127 bytes

    %systemdrive% .tmp files removed: 1758461 bytes
    %systemroot% .tmp files removed: 19528 bytes
    %systemroot%\System32 .tmp files removed: 2899473 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16384 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1124311 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 429.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 05062011_071608

    Files moved on Reboot...
    File move failed. c:\windows\system32\ynjnsrjn.dll scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya suzeh,

    Delete Combofix from your Desktop, download a fresh copy from either of the following links and run it as you did initially, do not re-name this time:-

    Link 1
    Link 2


    Post the new log in next reply please....

    Kevin
     
  13. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    Kevin,
    My apologies. While I was gone last night, one of my sons decided to do what he thought was a favor and downloaded and ran the AVAST anti virus thingy. I hope that doesn't mess up what you've been working on for me.

    Here is the new ComboFix log


    ComboFix 11-05-06.03 - Owner 05/06/2011 19:17:03.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.707 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\AutoPlay.exe
    c:\documents and settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe
    c:\windows\AutoRun.ini
    c:\windows\bobsaver.exe
    c:\windows\bobsaver.scr
    c:\windows\box boat blue.ico
    c:\windows\Downloaded Program Files\Install.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\patch.exe
    c:\windows\Readme.txt
    c:\windows\system32\uninstall.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-06 16:06 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-06 16:06 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-06 16:06 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-06 16:06 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-06 16:06 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-06 16:06 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-06 16:06 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-06 16:05 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-06 16:04 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-06 16:04 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-06 16:04 . 2011-05-06 16:04 -------- d-----w- c:\program files\AVAST Software
    2011-05-06 16:04 . 2011-05-06 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-06 13:20 . 2011-05-06 13:20 -------- d-----w- c:\documents and settings\Owner\Application Data\f-secure
    2011-05-06 12:06 . 2011-05-06 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2011-05-06 11:16 . 2011-05-06 11:16 -------- d-----w- C:\_OTM
    2011-05-02 12:47 . 2011-05-03 12:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-05-01 16:47 . 2011-05-01 16:47 -------- d-----w- C:\LXKZ600
    2011-05-01 12:23 . 2011-05-01 12:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2011-05-01 02:56 . 2011-05-01 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-22 00:35 . 2010-06-27 01:55 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-05-15 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-05-15 114688]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-24 273544]
    "Conime"="c:\windows\system32\conime.exe" [2004-08-04 27648]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Norton GoBack.lnk - c:\program files\Norton GoBack\GBTray.exe [2004-8-13 803976]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3786:TCP"= 3786:TCP:tjfbwj
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/6/2011 12:06 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/6/2011 12:06 PM 307288]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2011 12:06 PM 19544]
    R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [12/17/2003 5:58 PM 82888]
    S2 ievwfzvlz;Image Driver;c:\windows\system32\svchost.exe -k netsvcs [8/6/2002 6:02 PM 14336]
    S2 tinmim;ajfxy;c:\windows\system32\svchost.exe -k netsvcs [8/6/2002 6:02 PM 14336]
    S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [7/14/2009 3:51 PM 53690]
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    ievwfzvlz
    tinmim
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-04 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2002-08-06 07:56]
    .
    2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-04-30 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
    - c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2004-08-26 00:31]
    .
    2011-05-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
    - c:\program files\Norton SystemWorks\OBC.exe [2005-03-13 03:57]
    .
    2011-05-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-05-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://srch-us6.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k0vskcty.default\
    FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=&tool_id=60531&qkw=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected].com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: avast! WebRep: [email protected] - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Owner\Application Data\Move Networks
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-06 19:40
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ievwfzvlz]
    "ServiceDll"="c:\windows\system32\ynjnsrjn.dll"
    --
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tinmim]
    "ServiceDll"="c:\windows\system32\ynjnsrjn.dll"
    .
    Completion time: 2011-05-06 19:51:00
    ComboFix-quarantined-files.txt 2011-05-06 23:50
    ComboFix2.txt 2011-05-05 00:03
    ComboFix3.txt 2011-05-04 20:55
    .
    Pre-Run: 27,987,075,072 bytes free
    Post-Run: 28,397,420,544 bytes free
    .
    - - End Of File - - 8BD32EC78CBA0ED327D4676112B50021
     
  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya suzeh,

    Continue as follows please :-

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    
    NetSvc::
    ievwfzvlz
    tinmim
    Driver::
    ievwfzvlz
    tinmim
    File::
    c:\windows\system32\ynjnsrjn.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "3786:TCP"=-
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Step 3

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    What i`d like to see in your reply :-

    • Log from Combofix
    • Log from Malwarebytes
    • Log from Security Checks

    Kevin
     
  15. suzeh

    suzeh Thread Starter

    Joined:
    May 2, 2011
    Messages:
    12
    ComboFix 11-05-07.01 - Owner 05/08/2011 7:22.4.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1024.689 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\windows\system32\ynjnsrjn.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_IEVWFZVLZ
    -------\Legacy_TINMIM
    -------\Service_ievwfzvlz
    -------\Service_tinmim
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-08 07:40 . 2011-05-08 07:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
    2011-05-08 07:04 . 2011-05-08 07:04 -------- d-----w- c:\program files\MSXML 4.0
    2011-05-08 01:15 . 2011-05-08 02:43 -------- d-----w- c:\windows\system32\CatRoot_bak
    2011-05-08 00:49 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2011-05-08 00:48 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
    2011-05-08 00:48 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
    2011-05-08 00:48 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
    2011-05-08 00:48 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
    2011-05-08 00:48 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
    2011-05-08 00:48 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
    2011-05-08 00:48 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
    2011-05-08 00:48 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
    2011-05-08 00:48 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
    2011-05-08 00:27 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2011-05-07 23:45 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2011-05-07 23:42 . 2009-08-06 23:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
    2011-05-06 16:06 . 2011-04-18 17:12 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-06 16:06 . 2011-04-18 17:17 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-06 16:06 . 2011-04-18 17:13 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-06 16:06 . 2011-04-18 17:16 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-06 16:06 . 2011-04-18 17:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-06 16:06 . 2011-04-18 17:16 102488 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-06 16:06 . 2011-04-18 17:16 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-06 16:05 . 2011-04-18 17:13 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-06 16:04 . 2011-04-18 17:25 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-06 16:04 . 2011-04-18 17:25 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-06 16:04 . 2011-05-06 16:04 -------- d-----w- c:\program files\AVAST Software
    2011-05-06 16:04 . 2011-05-06 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-05-06 13:20 . 2011-05-06 13:20 -------- d-----w- c:\documents and settings\Owner\Application Data\f-secure
    2011-05-06 12:06 . 2011-05-06 12:06 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2011-05-06 11:16 . 2011-05-06 11:16 -------- d-----w- C:\_OTM
    2011-05-02 12:47 . 2011-05-03 12:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-05-01 16:47 . 2011-05-01 16:47 -------- d-----w- C:\LXKZ600
    2011-05-01 12:23 . 2011-05-01 12:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2011-05-01 02:56 . 2011-05-01 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Temp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-22 00:35 . 2010-06-27 01:55 398760 ----a-r- c:\windows\system32\cpnprt2.cid
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-04-18 17:25 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-09-09 1597440]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-05-15 155648]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-05-15 114688]
    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-24 273544]
    "Conime"="c:\windows\system32\conime.exe" [2004-08-04 27648]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-04-18 3460784]
    .
    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Norton GoBack.lnk - c:\program files\Norton GoBack\GBTray.exe [2004-8-13 803976]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3786:TCP"= 3786:TCP:tjfbwj
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/6/2011 12:06 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/6/2011 12:06 PM 307288]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/6/2011 12:06 PM 19544]
    R3 SWLD23U;Netopia 802.11b WLAN USB Adapter;c:\windows\system32\drivers\swld23u.sys [12/17/2003 5:58 PM 82888]
    S3 swlubtl;WLAN USB Boot Device;c:\windows\system32\drivers\swlubtl.sys [7/14/2009 3:51 PM 53690]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-08 c:\windows\Tasks\Disk Cleanup.job
    - c:\windows\system32\cleanmgr.exe [2002-08-06 07:56]
    .
    2011-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-05-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1809832699-2326369520-2915903831-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-06 23:31]
    .
    2011-05-07 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
    - c:\progra~1\NORTON~1\NORTON~1\NAVW32.exe [2004-08-26 00:31]
    .
    2011-05-06 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
    - c:\program files\Norton SystemWorks\OBC.exe [2005-03-13 03:57]
    .
    2011-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-05-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1809832699-2326369520-2915903831-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uDefault_Search_URL = hxxp://srch-us6.hpwis.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://srch-us6.hpwis.com/
    uInternet Settings,ProxyOverride = localhost
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\k0vskcty.default\
    FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=&tool_id=60531&qkw=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: avast! WebRep: [email protected] - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Move Media Player: [email protected] - c:\documents and settings\Owner\Application Data\Move Networks
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-08 08:01
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(916)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\LEXBCES.EXE
    c:\windows\system32\LEXPPS.EXE
    c:\program files\Norton GoBack\GBPoll.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Completion time: 2011-05-08 08:13:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-05-08 12:13
    ComboFix2.txt 2011-05-06 23:51
    ComboFix3.txt 2011-05-05 00:03
    ComboFix4.txt 2011-05-04 20:55
    .
    Pre-Run: 26,302,455,808 bytes free
    Post-Run: 26,295,037,952 bytes free
    .
    - - End Of File - - 449477C0FBF321DCEC2FA13E38CC765A


    ==


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.11

    5/8/2011 9:07:08 AM
    mbam-log-2011-05-08 (09-07-08).txt

    Scan type: Quick scan
    Objects scanned: 142026
    Time elapsed: 26 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Repair Registry Pro (Rogue.RepairRegistryPro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ==


    Results of screen317's Security Check version 0.99.7
    Windows XP Service Pack 2
    Out of date service pack!!
    Internet Explorer 7 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Out of date Spybot installed!
    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 24
    Out of date Java installed!
    Adobe Flash Player 10.0.42.34
    Adobe Reader 9.1
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.5.1) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    ``````````End of Log````````````
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/995025

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice