SuperDave, So far so good! Computer seems to be running good and hopefully you have gotten rid of the virus for me. Can't thank you enough, Jim
Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled!
COMODO Internet Security
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check: SUPERAntiSpyware
CCleaner
Java(TM) 6 Update 31
Adobe Flash Player 9.0.124.0
Flash Player out of Date! Mozilla Firefox (3.0.19)
Firefox out of Date! ````````````````````````````````
Process Check:
objlist.exe by Laurent Windows Defender MSMpEng.exe
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log```````````` ComboFix 12-03-29.01 - User 03/29/2012 7:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\WINDOWS
C:\Install.exe
c:\windows\$NtUninstallKB58502$
c:\windows\$NtUninstallKB58502$\2186156817
c:\windows\$NtUninstallKB58502$\2218614971\@
c:\windows\$NtUninstallKB58502$\2218614971\cfg.ini
c:\windows\$NtUninstallKB58502$\2218614971\Desktop.ini
c:\windows\$NtUninstallKB58502$\2218614971\L\uramoocp
c:\windows\$NtUninstallKB58502$\2218614971\U\00000001.@
c:\windows\$NtUninstallKB58502$\2218614971\U\00000002.@
c:\windows\$NtUninstallKB58502$\2218614971\U\00000004.@
c:\windows\$NtUninstallKB58502$\2218614971\U\80000000.@
c:\windows\$NtUninstallKB58502$\2218614971\U\80000004.@
c:\windows\$NtUninstallKB58502$\2218614971\U\80000032.@
c:\windows\$NtUninstallKB58502$\2218614971\version
c:\windows\system32\bszip.dll
c:\windows\system32\CCXPButton.ocx
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\WinSys.exe
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 11:54 . 2008-04-14 04:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-28 23:22 . 2012-03-13 23:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\
{2D78DB5F-CAE1-4F70-ACDC-CA3D2199E0CF}\mpengine.dll
2012-03-28 23:05 . 2012-03-28 23:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-28 23:05 . 2012-03-28 23:05 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-28 22:59 . 2012-03-28 22:59 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-03-28 15:17 . 2012-03-28 15:18 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-28 15:00 . 2012-03-28 15:00 -------- d-----w- c:\program files\CCleaner
2012-03-28 14:31 . 2012-03-28 14:31 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Comodo
2012-03-28 14:29 . 2012-03-28 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\CPA_VA
2012-03-28 14:28 . 2012-03-28 14:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-03-28 14:25 . 2012-03-28 14:26 -------- d-----w- c:\program files\Comodo
2012-03-28 14:25 . 2012-03-28 14:25 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-03-12 01:13 . 2012-03-12 01:13 97760 ----a-w- c:\windows\system32\drivers\inspect.sys
2012-03-12 01:13 . 2012-03-12 01:13 494968 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2012-03-12 01:13 . 2012-03-12 01:13 31704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2012-03-12 01:13 . 2012-03-12 01:13 18056 ----a-w- c:\windows\system32\drivers\cmderd.sys
2012-03-12 01:13 . 2012-03-12 01:13 33984 ----a-w- c:\windows\system32\cmdcsr.dll
2012-03-12 01:13 . 2012-03-12 01:13 301224 ----a-w- c:\windows\system32\guard32.dll
2012-03-03 16:35 . 2012-03-03 16:35 -------- d-----w- c:\program files\Common Files\Java
2012-03-03 16:35 . 2012-03-03 16:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-03 16:35 . 2010-05-01 11:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-20 13:00 . 2011-05-19 21:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-03 23:17 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2012-02-12 19:21 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 17:01 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-08-08 07:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-02-12 273544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-04-05 421888]
"nwiz"="nwiz.exe" [2007-11-07 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 208184]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 182584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 6749512]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-8-9 25214]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2006-9-7 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [3/11/2012 9:13 PM 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [3/11/2012 9:13 PM 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO GeekBuddy\CLPSLS.exe [11/23/2011 6:27 AM 1052472]
S3 cpuz134;cpuz134;\??\c:\docume~1\User\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\User\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
.
NETSVCS REQUIRES REPAIRS - current entries shown6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
ERSvc
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Messenger
Netman
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
HpqRemHid
wanatw
sgeclient
se2Bnd5
pml
savrt
streamloadservice
z525obex
qbreminderflash
scsk4
utscsi
VCIDRV
sonypvs1
addfiltr
nimxdfk
ELmou
navap
XBCD
LMIRfsClientNP
smcservice
{6080a529-897e-4629-a488-aba0c29b635e}
lkcitadelserver
igateway
atiavaiw
amdk8
mcshield
WmiAcpi
ood2000
netmnt
tphdexlgsvc
ZTEusbmdm6k
xfactorae1
aegisp
fcdabus
RMCAST
uclauncherservice
TuneUp.ProgramStatisticsSvc
starwindserviceae
bc_pat_f
U81xobex
rspndr
s7otranx
aslm75
MSMQTriggers
procexp100
regspy
houdiniserver
RTL8023xp
zunenetworksvc
{d31a0762-0ceb-444e-acff-b049a1f6fe91}
netwg311
inorpc
OEM02Afx
websenseuserservice
vzfw
npkcrypt
bridge
zebrceb
Packet
ssdiagn
de_serv
DivisCTP
nlsvc
FileDisk
netw4x32
netsvc
mcontrol
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
wscsvc
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc
WmdmPmSN
napagent
hkmsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-03-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1757981266-1972579041-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2012-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1757981266-1972579041-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uInternet Connection Wizard,ShellNext = hxxp://sitedirector.symantec.com/932743328/?ssdcat=102&v=1&k=0&catb=CategoryInternet&Hv=1&Holang=iso:
ENG&Holoc=iso:USA&Hover=5.1&Hcat=CategoryInternet&P1v=
P2.00&P1sm=10753761&P1sp=10753761&P1sf=10751683&P1lang=EN&P1vid=unknown&P1vtag=0&P1lab=16928786&P1ltp=Retail&P1rem=58
uInternet Settings,ProxyOverride = <local>
Trusted Zone: download.com
TCP: DhcpNameServer = 64.53.59.254 64.35.214.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxp://imgweb.charlestoncounty.org/AppNet/activex/OBXPopup.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\8d7luczb.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_PMM_with_IM&search=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter:
[email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{DF95941F-08A5-482C-BEFF-37AEDC791B5F} - (no file)
Toolbar-Locked - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-AllMyNotes - c:\program files\AllMyNotes Organizer\AllMyNotes.exe
HKLM-Run-RegWork - c:\program files\RegWork\RegWork.exe
HKU-Default-Run-msiexec.exe - msiconf.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2012-03-29 08:06
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(724)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\program files\COMODO\COMODO GeekBuddy\CLPS.exe
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-03-29 08:11:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-29 12:11
.
Pre-Run: 300,167,376,896 bytes free
Post-Run: 300,767,735,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4F4A9B5A4AEBBA611DF27C73A1016EB2