WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ping.exe & very high CPU usage [Solved]

Started by Brian Wilk , Nov 25 2011 03:23 PM

This topic is locked

14 replies to this topic

#1 Brian Wilk

New Member

Authentic Member
8 posts

Posted 25 November 2011 - 03:23 PM

Hello

I have suddenly come across a problem where the ping.exe process opens and starts to use an increasingly high fraction of the CPU - often rising to 80% or more - causing my computer almost to freeze up. I can end the process from within Task Manager but every time that I do this, ping.exe starts up again within a few minutes and soon my computer is working very, very slowly again.

I have run the DDS tool and this is the content of the DDS.txt file that it produced

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Brian Wilks at 16:05:47.11 on Fri 11/25/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2045 [GMT -5:00]
.
AV: Trend Micro PC-cillin Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\DOCUME~1\BRIANW~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\AOL\1170308299\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Wilks\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061107
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.baynews9.com/Home.html
uInternet Connection Wizard,ShellNext = https://ccc.trendmic...rtal/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60143
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [CSmileys] "c:\progra~1\crawler\smileys\CSmileysIM.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [HostManager] c:\program files\common files\aol\1170308299\ee\AOLSoftware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickenSEIcon] c:\qwse\QAWARE.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [BillMinder] c:\qwse\BILLMIND.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171599990562
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-443838540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-20 13496]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [2002-4-22 113632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-25 19:29:35 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-11-25 19:29:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-21 06:31:01 1631136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\ft735.dll
2011-11-21 06:31:01 1631136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\ft734.dll
2011-11-21 06:31:00 92140 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal_737PICX.exe
2011-11-21 06:31:00 282624 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\737setup_500.exe
2011-11-21 06:31:00 282624 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\737setup_400.exe
2011-11-19 06:13:23 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320iae\texture.usnew\pman_airbus.exe
2011-11-19 05:48:15 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320\texture.usnew\pman_airbus.exe
2011-11-19 05:20:04 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320\texture.usold\pman_airbus.exe
2011-11-15 05:01:18 -------- d-----w- c:\docume~1\brianw~1\applic~1\DDMSettings
2011-11-08 06:08:15 90928 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\JF757_FSX_TCAS.dll
2011-11-08 06:08:15 82720 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\JF757_FSX_SOUND.dll
2011-11-06 00:37:12 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-11-06 00:35:16 -------- d-----w- c:\program files\MGOLF
2011-11-05 17:54:22 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-05 17:54:22 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-05 17:52:40 -------- d-----w- c:\program files\Microsoft
2011-11-05 17:52:06 -------- d-----w- c:\program files\HP Photo Creations
2011-11-05 17:52:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2011-11-05 17:51:13 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
2011-11-05 17:51:13 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
2011-11-05 17:51:13 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
2011-11-05 17:48:26 -------- d-----w- c:\docume~1\brianw~1\locals~1\applic~1\HP
.
==================== Find3M ====================
.
2011-11-19 06:15:25 4598 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-11-11 16:13:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-02-19 20:22:07 12307656 -c--a-w- c:\program files\wdviewer.exe
.
============= FINISH: 16:08:58.40 ===============

The DDS tool also produced a file called "Attach" and the instructions said to attach this to my forum post rather than coppying and pasting its contents; so I've attached that file.

Any help that you can give me with my problem will be much appreciated.

Regards

Brian Wilks

Attached Files

Attach.txt 22.65KB 286 downloads

Advertisements

Register to Remove

#2 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 28 November 2011 - 10:58 AM

Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#3 Brian Wilk

New Member

Authentic Member
8 posts

Posted 28 November 2011 - 02:27 PM

Hello Blade81 I've run across a problem while running the ComboFix tool. I downloaded it and, having turned off my anti-virus program, I ran it. I got as far as the message 'Congratulations - the Microsoft Recovery Console was successfully installed' then I clcked 'Yes' to continue the scan. I got the first Autoscan window where it says 'Scanning for infected files ... this doesn't take more than 10 minutes' and then the problem occurred. Firstly I got a message window (like a normal gray Microsoft pop-up message window - not a message within the blue Autoscan window) saying something along the lines of "You have a RootKit infection that can be difficult - if you have trouble reconnecting to the internet try rebooting again and run ComboFix again'. That message disappeared after about 5-10 seconds. Immediately after that I got another gray pop-up box that said something like 'You have a RootKit infection, let ComboFix reboot your machine - do not reboot it yourself'. After that, the whole screen went blue with no more messages and it's been that way for 45 minutes now - which seems way too long simply to reboot the computer. I'm reluctant to do anything in view of the warning to let ComboFix reboot and not to do it myself. But it looks as if the program/computer has stopped, with no sign of anything happening. Do you have any advice on what I should do now? Many thanks Brian Wilks

#4 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 28 November 2011 - 02:49 PM

Hi, Please reboot it manually. Let's see if ComboFix is able to create a log.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#5 Brian Wilk

New Member

Authentic Member
8 posts

Posted 28 November 2011 - 02:59 PM

Thanks so much for your fast reply - the manual reboot worked and ComboFix is now running - up to stage 4 now. So hopefully it'll create the log that you need. [Incidentally, in case you're wondering, while my PC is 'locked up' I'm using the wife's laptop to contact you.] Many thanks once again for your help! Will post the log soon (hopefully!) Brian Wilks

#6 Brian Wilk

New Member

Authentic Member
8 posts

Posted 28 November 2011 - 03:46 PM

Hello again

Well ComboFix prepared the long and I'm including that as well as the new DDS log. As regards, the DDS stuff, there are two items - the DDS txt and the DDS attach. So, as with my first post, I'll copy & Paste the log but attach the 'Attach' file. Okay then, here is the ComboFix log

ComboFix 11-11-28.02 - Brian Wilks 11/28/2011 15:54:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2534 [GMT -5:00]
Running from: c:\documents and settings\Brian Wilks\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Brian Wilks\WINDOWS
c:\windows\$NtUninstallKB25498$
c:\windows\$NtUninstallKB25498$\2534077584\@
c:\windows\$NtUninstallKB25498$\2534077584\bckfg.tmp
c:\windows\$NtUninstallKB25498$\2534077584\cfg.ini
c:\windows\$NtUninstallKB25498$\2534077584\Desktop.ini
c:\windows\$NtUninstallKB25498$\2534077584\keywords
c:\windows\$NtUninstallKB25498$\2534077584\kwrd.dll
c:\windows\$NtUninstallKB25498$\2534077584\L\pdmzmplg
c:\windows\$NtUninstallKB25498$\2534077584\lsflt7.ver
c:\windows\$NtUninstallKB25498$\2534077584\U\00000001.@
c:\windows\$NtUninstallKB25498$\2534077584\U\00000002.@
c:\windows\$NtUninstallKB25498$\2534077584\U\00000004.@
c:\windows\$NtUninstallKB25498$\2534077584\U\80000000.@
c:\windows\$NtUninstallKB25498$\2534077584\U\80000004.@
c:\windows\$NtUninstallKB25498$\2534077584\U\80000032.@
c:\windows\$NtUninstallKB25498$\2802904236
c:\windows\CSC\d6
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\kb913800.exe
c:\windows\system32\download
c:\windows\system32\Download\ispinfo.csv
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-28 )))))))))))))))))))))))))))))))
.
.
2011-11-28 19:46 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-28 19:46 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2011-11-28 15:27 . 2011-11-28 15:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-27 20:01 . 2011-11-27 20:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-27 17:03 . 2011-11-27 17:03 111616 ----a-w- c:\windows\system32\ComG23.com__
2011-11-26 00:36 . 2011-11-26 00:36 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2011-11-25 19:07 . 2011-11-25 19:07 37888 ----a-w- c:\windows\system32\sqlesw32.dll
2011-11-25 19:07 . 2011-11-25 19:07 162304 ----a-w- c:\windows\system32\sqlcsw32.dll
2011-11-21 06:31 . 2007-12-10 13:02 1631136 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\ft734.dll
2011-11-21 06:31 . 2007-12-10 13:02 1631136 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\ft735.dll
2011-11-21 06:31 . 2011-11-21 06:32 92140 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Uninstal_737PICX.exe
2011-11-21 06:31 . 2007-05-10 12:15 282624 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\737setup_500.exe
2011-11-21 06:31 . 2007-05-10 12:14 282624 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\737setup_400.exe
2011-11-15 05:01 . 2011-11-15 05:01 -------- d-----w- c:\documents and settings\Brian Wilks\Application Data\DDMSettings
2011-11-08 06:08 . 2007-12-14 06:48 82720 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\JF757_FSX_SOUND.dll
2011-11-08 06:08 . 2006-12-02 16:26 90928 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\JF757_FSX_TCAS.dll
2011-11-06 00:37 . 1993-10-14 04:00 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-11-06 00:35 . 2011-11-06 00:35 -------- d-----w- c:\program files\MGOLF
2011-11-05 17:54 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-05 17:54 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-05 17:52 . 2011-11-05 18:32 -------- d-----w- c:\program files\Microsoft
2011-11-05 17:52 . 2011-11-05 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2011-11-05 17:52 . 2011-11-05 17:52 -------- d-----w- c:\program files\HP Photo Creations
2011-11-05 17:51 . 2010-11-17 00:53 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
2011-11-05 17:51 . 2010-11-17 00:53 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
2011-11-05 17:51 . 2010-11-17 00:53 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
2011-11-05 17:48 . 2011-11-05 17:58 -------- d-----w- c:\documents and settings\Brian Wilks\Local Settings\Application Data\HP
2011-10-30 20:06 . 2011-10-30 20:06 -------- d-----w- c:\program files\7-Zip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 16:13 . 2011-05-16 14:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2010-03-18 14:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2005-08-16 09:18 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-08-16 09:18 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll
2011-09-06 13:20 . 2005-08-16 09:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-10-12 22:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-02-19 20:22 . 2007-02-19 20:21 12307656 -c--a-w- c:\program files\wdviewer.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2009-06-10 334224]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HostManager"="c:\program files\Common Files\AOL\1170308299\ee\AOLSoftware.exe" [2006-09-26 50736]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"QuickenSEIcon"="c:\qwse\QAWARE.EXE" [1997-02-27 43008]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"BillMinder"="c:\qwse\BILLMIND.EXE" [1997-02-27 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-29 227840]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-29 123392]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-7 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sqlesw32]
2011-11-25 19:07 37888 ----a-w- c:\windows\system32\sqlesw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sqlseses]
2011-11-25 19:07 37888 ----a-w- c:\windows\system32\sqlesw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170308299\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/20/2011 11:16 AM 13496]
R2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/16/2005 4:18 AM 14336]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 9:47 AM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 9:47 AM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 9:47 AM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 9:47 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 9:47 AM 262215]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/17/2010 10:57 AM 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [4/22/2002 8:28 AM 113632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/17/2010 10:57 AM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-11-28 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-28 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-26 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-26 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 15:57]
.
2011-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 15:57]
.
2011-11-28 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-20 22:19]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.baynews9.com/Home.html
uInternet Connection Wizard,ShellNext = https://ccc.trendmic...rtal/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
WebBrowser-{9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
HKCU-Run-CSmileys - c:\progra~1\Crawler\Smileys\CSmileysIM.exe
HKCU-Run-PC Suite Tray - c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-28 16:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3892842863-2275708963-895663736-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\sqlesw32.dll
.
- - - - - - - > 'explorer.exe'(2160)
c:\windows\system32\WININET.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\HPZipm12.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\TRENDM~1\INTERN~1\PccGuide.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\BRIANW~1\LOCALS~1\Temp\clclean.0001
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-28 16:25:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-28 21:24
.
Pre-Run: 22,879,629,312 bytes free
Post-Run: 23,813,574,656 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - DDB5656CDC5AF51367FB0DEDCFCF14DB

and here is the new

Attach.txt 24.2KB 263 downloadsDDS log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Brian Wilks at 16:33:04.32 on Mon 11/28/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2211 [GMT -5:00]
.
AV: Trend Micro PC-cillin Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k Sqlses
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\AOL\1170308299\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\DOCUME~1\BRIANW~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\stsystra.exe
C:\QWSE\QAWARE.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Eraser\Eraser.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian Wilks\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.baynews9.com/Home.html
uInternet Connection Wizard,ShellNext = https://ccc.trendmic...rtal/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [HostManager] c:\program files\common files\aol\1170308299\ee\AOLSoftware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickenSEIcon] c:\qwse\QAWARE.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [BillMinder] c:\qwse\BILLMIND.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171599990562
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-443838540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: sqlesw32 - sqlesw32.dll
Notify: Sqlseses - sqlesw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-20 13496]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SqlCSS;SQL Server EXPRESS;c:\windows\system32\svchost.exe -k Sqlses [2005-8-16 14336]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [2002-4-22 113632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-28 19:46:57 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-28 19:46:57 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2011-11-28 19:37:44 -------- d-sha-r- C:\cmdcons
2011-11-28 19:34:30 98816 ----a-w- c:\windows\sed.exe
2011-11-28 19:34:30 518144 ----a-w- c:\windows\SWREG.exe
2011-11-28 19:34:30 256000 ----a-w- c:\windows\PEV.exe
2011-11-28 19:34:30 208896 ----a-w- c:\windows\MBR.exe
2011-11-28 15:27:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-11-28 15:27:22 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-27 17:03:57 111616 ----a-w- c:\windows\system32\ComG23.com__
2011-11-25 19:07:26 37888 ----a-w- c:\windows\system32\sqlesw32.dll
2011-11-25 19:07:26 162304 ----a-w- c:\windows\system32\sqlcsw32.dll
2011-11-21 06:31:01 1631136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\ft735.dll
2011-11-21 06:31:01 1631136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\ft734.dll
2011-11-21 06:31:00 92140 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal_737PICX.exe
2011-11-21 06:31:00 282624 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\737setup_500.exe
2011-11-21 06:31:00 282624 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\737setup_400.exe
2011-11-19 06:13:23 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320iae\texture.usnew\pman_airbus.exe
2011-11-19 05:48:15 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320\texture.usnew\pman_airbus.exe
2011-11-19 05:20:04 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320\texture.usold\pman_airbus.exe
2011-11-15 05:01:18 -------- d-----w- c:\docume~1\brianw~1\applic~1\DDMSettings
2011-11-08 06:08:15 90928 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\JF757_FSX_TCAS.dll
2011-11-08 06:08:15 82720 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\JF757_FSX_SOUND.dll
2011-11-06 00:37:12 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-11-06 00:35:16 -------- d-----w- c:\program files\MGOLF
2011-11-05 17:54:22 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-05 17:54:22 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-05 17:52:40 -------- d-----w- c:\program files\Microsoft
2011-11-05 17:52:06 -------- d-----w- c:\program files\HP Photo Creations
2011-11-05 17:52:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2011-11-05 17:51:13 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
2011-11-05 17:51:13 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
2011-11-05 17:51:13 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
2011-11-05 17:48:26 -------- d-----w- c:\docume~1\brianw~1\locals~1\applic~1\HP
.
==================== Find3M ====================
.
2011-11-19 06:15:25 4598 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-11-11 16:13:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-02-19 20:22:07 12307656 -c--a-w- c:\program files\wdviewer.exe
.
============= FINISH: 16:34:37.32 ===============

and, finally, I'm attaching the DDS 'attach' file.

Look forward to hearing from you.

- and thanks once again

Brian Wilks

#7 Brian Wilk

New Member

Authentic Member
8 posts

Posted 28 November 2011 - 03:50 PM

I slightly messed up on attaching the DDS 'Attach' file - for some reason it doesn't appear at the bottom of my last message but is in the middle of it, at the start of the copied and pasted DDS log ... just where I say "and here is the new DDS log" (it appears in the middle of that text. Thanks Brian

#8 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 28 November 2011 - 11:32 PM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.whatthetech.com/index.php?showtopic=121274
Suspect::
c:\windows\system32\sqlesw32.dll
c:\windows\system32\sqlcsw32.dll
File::
c:\windows\system32\ComG23.com__

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1 update for it) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 7 Update 1.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u1-windows-i586.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

* Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#9 Brian Wilk

New Member

Authentic Member
8 posts

Posted 29 November 2011 - 05:58 PM

Hello again

Sorry to have been delayed in replying but the tasks took quite a long time to complete (the Eset scan alone took over 5 hours) but I now done everything mentioned in your last note.

So, here is the ComboFix log report (copied & Pasted)

ComboFix 11-11-29.04 - Brian Wilks 11/29/2011 11:27:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2403 [GMT -5:00]
Running from: c:\documents and settings\Brian Wilks\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian Wilks\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
FILE ::
"c:\windows\system32\ComG23.com__"
.
file zipped: c:\windows\system32\sqlcsw32.dll
file zipped: c:\windows\system32\sqlesw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\BRIANW~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Brian Wilks\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\ComG23.com__
c:\windows\system32\usmt\migwiz_a.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-29 )))))))))))))))))))))))))))))))
.
.
2011-11-28 19:46 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-28 19:46 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2011-11-28 15:27 . 2011-11-28 15:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-27 20:01 . 2011-11-27 20:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-26 00:36 . 2011-11-26 00:36 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2011-11-25 19:07 . 2011-11-25 19:07 37888 ----a-w- c:\windows\system32\sqlesw32.dll
2011-11-25 19:07 . 2011-11-25 19:07 162304 ----a-w- c:\windows\system32\sqlcsw32.dll
2011-11-21 06:31 . 2007-12-10 13:02 1631136 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\ft734.dll
2011-11-21 06:31 . 2007-12-10 13:02 1631136 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\ft735.dll
2011-11-21 06:31 . 2011-11-21 06:32 92140 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Uninstal_737PICX.exe
2011-11-21 06:31 . 2007-05-10 12:15 282624 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\737setup_500.exe
2011-11-21 06:31 . 2007-05-10 12:14 282624 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\737setup_400.exe
2011-11-19 06:13 . 2011-11-17 04:57 124616 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\SimObjects\Airplanes\feelThere PIC A320IAE\Texture.UsNEW\pman_airbus.exe
2011-11-19 05:48 . 2011-11-17 04:57 124616 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\SimObjects\Airplanes\feelThere PIC A320\Texture.UsNEW\pman_airbus.exe
2011-11-19 05:20 . 2011-11-17 04:52 124616 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\SimObjects\Airplanes\feelThere PIC A320\Texture.USOld\pman_airbus.exe
2011-11-15 05:01 . 2011-11-15 05:01 -------- d-----w- c:\documents and settings\Brian Wilks\Application Data\DDMSettings
2011-11-08 06:08 . 2007-12-14 06:48 82720 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\JF757_FSX_SOUND.dll
2011-11-08 06:08 . 2006-12-02 16:26 90928 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\JF757_FSX_TCAS.dll
2011-11-06 00:37 . 1993-10-14 04:00 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-11-06 00:35 . 2011-11-06 00:35 -------- d-----w- c:\program files\MGOLF
2011-11-05 17:54 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-05 17:54 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-05 17:52 . 2011-11-05 18:32 -------- d-----w- c:\program files\Microsoft
2011-11-05 17:52 . 2011-11-05 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2011-11-05 17:52 . 2011-11-05 17:52 -------- d-----w- c:\program files\HP Photo Creations
2011-11-05 17:51 . 2010-11-17 00:53 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
2011-11-05 17:51 . 2010-11-17 00:53 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
2011-11-05 17:51 . 2010-11-17 00:53 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
2011-11-05 17:48 . 2011-11-05 17:58 -------- d-----w- c:\documents and settings\Brian Wilks\Local Settings\Application Data\HP
2011-10-30 20:06 . 2011-10-30 20:06 -------- d-----w- c:\program files\7-Zip
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 16:13 . 2011-05-16 14:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2010-03-18 14:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2005-08-16 09:18 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-08-16 09:18 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll
2011-09-06 13:20 . 2005-08-16 09:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 22:00 . 2010-10-12 22:35 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-02-19 20:22 . 2007-02-19 20:21 12307656 -c--a-w- c:\program files\wdviewer.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-28_21.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-29 16:08 . 2011-11-29 16:08 16384 c:\windows\Temp\Perflib_Perfdata_994.dat
+ 2006-11-10 17:56 . 2011-11-29 16:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-10 17:56 . 2011-11-28 01:08 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-10 17:56 . 2011-11-29 16:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-10 17:56 . 2011-11-28 01:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-11-29 04:36 . 2011-11-29 04:36 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-11-28 22:40 . 2011-11-29 16:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-11-10 17:56 . 2011-11-28 01:08 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2009-06-10 334224]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HostManager"="c:\program files\Common Files\AOL\1170308299\ee\AOLSoftware.exe" [2006-09-26 50736]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"QuickenSEIcon"="c:\qwse\QAWARE.EXE" [1997-02-27 43008]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"BillMinder"="c:\qwse\BILLMIND.EXE" [1997-02-27 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-29 227840]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-29 123392]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-7 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sqlesw32]
2011-11-25 19:07 37888 ----a-w- c:\windows\system32\sqlesw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sqlseses]
2011-11-25 19:07 37888 ----a-w- c:\windows\system32\sqlesw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170308299\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/20/2011 11:16 AM 13496]
R2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/16/2005 4:18 AM 14336]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 9:47 AM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 9:47 AM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 9:47 AM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 9:47 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 9:47 AM 262215]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/17/2010 10:57 AM 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [4/22/2002 8:28 AM 113632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/17/2010 10:57 AM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-11-28 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-29 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-26 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-26 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 15:57]
.
2011-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 15:57]
.
2011-11-29 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-20 22:19]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.baynews9.com/Home.html
uInternet Connection Wizard,ShellNext = https://ccc.trendmic...rtal/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-29 11:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3892842863-2275708963-895663736-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\sqlesw32.dll
.
Completion time: 2011-11-29 11:55:56
ComboFix-quarantined-files.txt 2011-11-29 16:55
ComboFix2.txt 2011-11-28 21:25
.
Pre-Run: 23,894,081,536 bytes free
Post-Run: 23,895,511,040 bytes free
.
- - End Of File - - AE38F6CFFD9177C86AF4F8A876E88062
Upload was successful

... and here is a copy of the ESET report (copied & pasted)

C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\16\26dcc390-77c397e3 multiple threats
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\17\299e4e91-7f266ce8 Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\36\18923ca4-568d54fb multiple threats
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-472370d6 Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\53\40156375-39e6db16 a variant of Win32/Kryptik.WCJ trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\9\26ca7549-5000a28e Java/TrojanDownloader.OpenStream.NAZ trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-13cd699a-4ea47c3b.class Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-142469c0-25d13b51.class Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-42a3cd7b-275253c5.class Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-46e8eeba-1e434caa.class Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-79dc8d6d-11f1a10f.class Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-93e706-6eca14e2.class Java/TrojanDownloader.OpenStream.NAC trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-2a79e556-64bcad21.zip Java/TrojanDownloader.OpenStream.NAD trojan
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-72f2694f-427c2f43.zip a variant of Java/TrojanDownloader.OpenStream.NAD trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44(2)\51790fac-44cf1335 a variant of Win32/Kryptik.WEI trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\ComG23.com__.vir a variant of Win32/Kryptik.VRX trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\netbt.sys.vir a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1838\A0510326.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0510402.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0510505.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0511505.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512505.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512547.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512581.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512632.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512662.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512691.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0512741.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0513741.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0514741.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0515741.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0516747.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1839\A0519749.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1840\A0521796.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1841\A0521854.exe a variant of Win32/Kryptik.WEI trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1841\A0521931.com a variant of Win32/Kryptik.VYL trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1841\A0521990.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1841\A0522990.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1841\A0523018.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1841\A0523065.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1842\A0523122.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1842\A0523144.com a variant of Win32/Kryptik.VYL trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1842\A0523275.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1842\A0523307.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1842\A0523335.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1842\A0524335.sys a variant of Win32/Rootkit.Kryptik.FJ trojan

and here is the fresh DDS report (copied & pasted)

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Brian Wilks at 18:41:47.50 on Tue 11/29/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2212 [GMT -5:00]
.
AV: Trend Micro PC-cillin Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\DOCUME~1\BRIANW~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\AOL\1170308299\ee\AOLSoftware.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\stsystra.exe
svchost.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Saitek\SD6\Software\ProfilerU.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Saitek\SD6\Software\SaiMfd.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k Sqlses
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Brian Wilks\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.baynews9.com/Home.html
uInternet Connection Wizard,ShellNext = https://ccc.trendmic...rtal/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Eraser] c:\program files\eraser\Eraser.exe -hide
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [HostManager] c:\program files\common files\aol\1170308299\ee\AOLSoftware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickenSEIcon] c:\qwse\QAWARE.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [BillMinder] c:\qwse\BILLMIND.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [ProfilerU] c:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171599990562
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-443838540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
Notify: sqlesw32 - sqlesw32.dll
Notify: Sqlseses - sqlesw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-3-20 13496]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SqlCSS;SQL Server EXPRESS;c:\windows\system32\svchost.exe -k Sqlses [2005-8-16 14336]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [2002-4-22 113632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-29 18:16:47 -------- d-----w- c:\program files\ESET
2011-11-29 18:01:26 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-29 17:35:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-28 19:46:57 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-28 19:46:57 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2011-11-28 19:37:44 -------- d-sha-r- C:\cmdcons
2011-11-28 19:34:30 98816 ----a-w- c:\windows\sed.exe
2011-11-28 19:34:30 518144 ----a-w- c:\windows\SWREG.exe
2011-11-28 19:34:30 256000 ----a-w- c:\windows\PEV.exe
2011-11-28 19:34:30 208896 ----a-w- c:\windows\MBR.exe
2011-11-28 15:27:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-11-28 15:27:22 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-25 19:07:26 37888 ----a-w- c:\windows\system32\sqlesw32.dll
2011-11-25 19:07:26 162304 ----a-w- c:\windows\system32\sqlcsw32.dll
2011-11-21 06:31:01 1631136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\ft735.dll
2011-11-21 06:31:01 1631136 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\ft734.dll
2011-11-21 06:31:00 92140 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\Uninstal_737PICX.exe
2011-11-21 06:31:00 282624 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\737setup_500.exe
2011-11-21 06:31:00 282624 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\feelthere\b737\737setup_400.exe
2011-11-19 06:13:23 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320iae\texture.usnew\pman_airbus.exe
2011-11-19 05:48:15 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320\texture.usnew\pman_airbus.exe
2011-11-19 05:20:04 124616 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\simobjects\airplanes\feelthere pic a320\texture.usold\pman_airbus.exe
2011-11-15 05:01:18 -------- d-----w- c:\docume~1\brianw~1\applic~1\DDMSettings
2011-11-08 06:08:15 90928 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\JF757_FSX_TCAS.dll
2011-11-08 06:08:15 82720 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\JF757_FSX_SOUND.dll
2011-11-06 00:37:12 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-11-06 00:35:16 -------- d-----w- c:\program files\MGOLF
2011-11-05 17:54:22 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-05 17:54:22 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-05 17:52:40 -------- d-----w- c:\program files\Microsoft
2011-11-05 17:52:06 -------- d-----w- c:\program files\HP Photo Creations
2011-11-05 17:52:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2011-11-05 17:51:13 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
2011-11-05 17:51:13 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
2011-11-05 17:51:13 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
2011-11-05 17:48:26 -------- d-----w- c:\docume~1\brianw~1\locals~1\applic~1\HP
.
==================== Find3M ====================
.
2011-11-29 18:01:02 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-19 06:15:25 4598 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-02-19 20:22:07 12307656 -c--a-w- c:\program files\wdviewer.exe
.
============= FINISH: 18:44:09.21 ===============

... and, lastly, there is the 'Attach' file created by DDS which I'm going to attach in a separate post in case you need it

Attached Files

Attach.txt 24.82KB 242 downloads

#10 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 30 November 2011 - 10:34 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\sqlesw32.dll
c:\windows\system32\sqlcsw32.dll
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\16\26dcc390-77c397e3
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\17\299e4e91-7f266ce8
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\36\18923ca4-568d54fb
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-472370d6
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\53\40156375-39e6db16
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\9\26ca7549-5000a28e
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-13cd699a-4ea47c3b.class
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-142469c0-25d13b51.class
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-42a3cd7b-275253c5.class
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-46e8eeba-1e434caa.class
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-79dc8d6d-11f1a10f.class
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-93e706-6eca14e2.class
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-2a79e556-64bcad21.zip
C:\Documents and Settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-72f2694f-427c2f43.zip
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44(2)\51790fac-44cf1335
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sqlesw32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sqlseses]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log. How's the system running?

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#11 Brian Wilk

New Member

Authentic Member
8 posts

Posted 30 November 2011 - 01:11 PM

Hello again and continuing thanks for your help.

I performed the latest task with ComboFix - after temporarily disabling my anti-virus - and here is the log it has just produced (copied & pasted)

ComboFix 11-11-30.01 - Brian Wilks 11/30/2011 13:32:17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2384 [GMT -5:00]
Running from: c:\documents and settings\Brian Wilks\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian Wilks\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *Enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
FILE ::
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\16\26dcc390-77c397e3"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\17\299e4e91-7f266ce8"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\36\18923ca4-568d54fb"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-472370d6"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\53\40156375-39e6db16"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\9\26ca7549-5000a28e"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-13cd699a-4ea47c3b.class"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-142469c0-25d13b51.class"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-42a3cd7b-275253c5.class"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-46e8eeba-1e434caa.class"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-79dc8d6d-11f1a10f.class"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-93e706-6eca14e2.class"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-2a79e556-64bcad21.zip"
"c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-72f2694f-427c2f43.zip"
"c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44(2)\51790fac-44cf1335"
"c:\windows\system32\sqlcsw32.dll"
"c:\windows\system32\sqlesw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\BRIANW~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\16\26dcc390-77c397e3
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\17\299e4e91-7f266ce8
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\36\18923ca4-568d54fb
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-472370d6
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\53\40156375-39e6db16
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\6.0\9\26ca7549-5000a28e
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-13cd699a-4ea47c3b.class
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-142469c0-25d13b51.class
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-42a3cd7b-275253c5.class
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-46e8eeba-1e434caa.class
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-79dc8d6d-11f1a10f.class
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\animan.class-93e706-6eca14e2.class
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-2a79e556-64bcad21.zip
c:\documents and settings\Brian Wilks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Java2SE.jar-72f2694f-427c2f43.zip
c:\documents and settings\Brian Wilks\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44(2)\51790fac-44cf1335
c:\windows\system32\sqlcsw32.dll
c:\windows\system32\sqlesw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SqlCSS
-------\Service_SqlCSS
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 )))))))))))))))))))))))))))))))
.
.
2011-11-30 15:24 . 2011-11-30 15:24 -------- d-----w- c:\documents and settings\Brian Wilks\Local Settings\Application Data\Sun
2011-11-29 18:01 . 2011-11-29 18:01 -------- d-----w- c:\program files\Common Files\Java
2011-11-29 18:01 . 2011-11-29 18:01 128000 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-29 17:35 . 2011-11-29 17:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-29 17:18 . 2011-11-29 17:18 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-11-28 19:46 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-28 19:46 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys
2011-11-28 15:27 . 2011-11-28 15:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-11-27 20:01 . 2011-11-27 20:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-26 00:36 . 2011-11-26 00:36 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2011-11-21 06:31 . 2007-12-10 13:02 1631136 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\ft734.dll
2011-11-21 06:31 . 2007-12-10 13:02 1631136 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\ft735.dll
2011-11-21 06:31 . 2011-11-21 06:32 92140 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Uninstal_737PICX.exe
2011-11-21 06:31 . 2007-05-10 12:15 282624 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\737setup_500.exe
2011-11-21 06:31 . 2007-05-10 12:14 282624 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FeelThere\b737\737setup_400.exe
2011-11-15 05:01 . 2011-11-15 05:01 -------- d-----w- c:\documents and settings\Brian Wilks\Application Data\DDMSettings
2011-11-08 06:08 . 2007-12-14 06:48 82720 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\JF757_FSX_SOUND.dll
2011-11-08 06:08 . 2006-12-02 16:26 90928 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\JF757_FSX_TCAS.dll
2011-11-06 00:37 . 1993-10-14 04:00 21648 ----a-w- c:\windows\system\CTL3DV2.DLL
2011-11-06 00:35 . 2011-11-06 00:35 -------- d-----w- c:\program files\MGOLF
2011-11-05 17:54 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-05 17:54 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-05 17:52 . 2011-11-05 18:32 -------- d-----w- c:\program files\Microsoft
2011-11-05 17:52 . 2011-11-05 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2011-11-05 17:52 . 2011-11-05 17:52 -------- d-----w- c:\program files\HP Photo Creations
2011-11-05 17:51 . 2010-11-17 00:53 267112 ----a-w- c:\windows\system32\hpinksts8811LM.dll
2011-11-05 17:51 . 2010-11-17 00:53 232296 ----a-w- c:\windows\system32\hpinksts8811.dll
2011-11-05 17:51 . 2010-11-17 00:53 213864 ----a-w- c:\windows\system32\hpinkcoi8811.dll
2011-11-05 17:48 . 2011-11-05 17:58 -------- d-----w- c:\documents and settings\Brian Wilks\Local Settings\Application Data\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 18:01 . 2010-04-26 18:09 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll
2011-10-10 14:22 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2010-03-18 14:09 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2005-08-16 09:18 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-08-16 09:18 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-08-16 09:18 599040 ----a-w- c:\windows\system32\crypt32(2)(2).dll
2011-09-06 13:20 . 2005-08-16 09:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2007-02-19 20:22 . 2007-02-19 20:21 12307656 -c--a-w- c:\program files\wdviewer.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-28_21.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-30 18:53 . 2011-11-30 18:53 16384 c:\windows\Temp\Perflib_Perfdata_1bc.dat
+ 2006-11-10 17:56 . 2011-11-30 15:24 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-10 17:56 . 2011-11-30 15:24 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-10 17:56 . 2011-11-28 01:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-11-29 04:36 . 2011-11-29 04:36 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
+ 2011-11-30 18:04 . 2011-11-30 15:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2006-11-10 17:56 . 2011-11-28 01:08 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-11-29 21:36 . 2011-11-30 15:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-11-29 17:18 . 2011-11-29 17:18 28160 c:\windows\Installer\86c44.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 17304 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\ViewerPS.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 35736 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\reader_sl.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 88992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlr.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 94608 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\eula.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 49064 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrotextextractor.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 17824 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32Info.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 63912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acroiehelpershim.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 64928 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroIEHelper.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 63384 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\Acrofx32.dll
- 2011-11-11 16:13 . 2011-11-11 16:13 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
+ 2011-11-29 17:35 . 2011-11-29 17:35 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
- 2011-11-11 16:13 . 2011-11-11 16:13 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
+ 2011-11-29 17:35 . 2011-11-29 17:35 335520 c:\windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.dll
+ 2011-11-29 18:01 . 2011-11-29 18:01 214408 c:\windows\system32\javaws.exe
+ 2011-11-29 18:01 . 2011-11-29 18:01 173960 c:\windows\system32\javaw.exe
+ 2011-11-29 18:01 . 2011-11-29 18:01 173960 c:\windows\system32\java.exe
+ 2011-11-29 18:01 . 2011-11-29 18:01 176640 c:\windows\Installer\3b289.msi
+ 2011-11-29 18:00 . 2011-11-29 18:00 938496 c:\windows\Installer\3b27b.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 249232 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\sqlite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 394136 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\pdfshell.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 103848 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\PDFPrevHndlrShim.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 183696 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\nppdf32.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 104344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AiodLite.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 102808 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRdIF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 755088 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroPDF.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 296344 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\acrobroker.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 205720 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\a3dutils.dll
+ 2011-11-29 17:20 . 2011-11-29 17:20 2295808 c:\windows\Installer\86d09.msi
+ 2011-06-06 17:55 . 2011-06-06 17:55 2215312 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\rt3d.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 6543768 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\authplay.dll
+ 2011-06-06 17:55 . 2011-06-06 17:55 1240992 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AdobeCollabSync.exe
+ 2011-06-06 17:55 . 2011-06-06 17:55 1480600 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.exe
+ 2011-09-05 21:51 . 2011-09-05 21:51 13135872 c:\windows\Installer\86d0a.msp
+ 2011-06-06 17:55 . 2011-06-06 17:55 24731544 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\AcroRd32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 24576]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2009-06-10 334224]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"MBMon"="CTMBHA.DLL" [2006-06-29 1355042]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HostManager"="c:\program files\Common Files\AOL\1170308299\ee\AOLSoftware.exe" [2006-09-26 50736]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"QuickenSEIcon"="c:\qwse\QAWARE.EXE" [1997-02-27 43008]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"BillMinder"="c:\qwse\BILLMIND.EXE" [1997-02-27 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-05-05 1632360]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2010-07-29 227840]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2010-07-29 123392]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-7 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\1170308299\\ee\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [3/20/2011 11:16 AM 13496]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 9:47 AM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 9:47 AM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 9:47 AM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 9:47 AM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 9:47 AM 262215]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/17/2010 10:57 AM 135664]
S3 DCamUSBLTN;M318B Digital Video Camera;c:\windows\system32\drivers\vq318vid.sys [4/22/2002 8:28 AM 113632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/17/2010 10:57 AM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-11-28 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-30 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-29 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-29 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-11-17 01:12]
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 15:57]
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-17 15:57]
.
2011-11-30 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2011-03-20 22:19]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.baynews9.com/Home.html
uInternet Connection Wizard,ShellNext = https://ccc.trendmic...rtal/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-30 13:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3892842863-2275708963-895663736-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1232)
c:\windows\system32\WININET.dll
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\HPZipm12.exe
c:\windows\wanmpsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\docume~1\BRIANW~1\LOCALS~1\Temp\clclean.0001
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-11-30 14:00:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-30 19:00
ComboFix2.txt 2011-11-29 16:57
ComboFix3.txt 2011-11-28 21:25
.
Pre-Run: 23,220,142,080 bytes free
Post-Run: 23,251,861,504 bytes free
.
- - End Of File - - 5316E7EC315CCEE0E9F68F071ADDE85C

As regards the system overall, it seems to be running very well now, with no more of the original problem with the ping.exe process. Yesterday I had two instances of Internet Explorer opening up an unrequested new window (to a health check site) but I can't remember if that was before or after running the various procedures you asked me to do. However, it hasn't happened at all today in the 3 hours I've had the computer and Internet Explorer running. So, all in all, things are now looking extremely good.

Best wishes

Brian Wilks

#12 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 01 December 2011 - 01:49 AM

If no problems, it's time to secure your system to prevent against further intrusions.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#13 Brian Wilk

New Member

Authentic Member
8 posts

Posted 01 December 2011 - 11:47 AM

Hello Blade Well, I carried out all those steps you mentioned and everything seems to be running perfectly. I was a little worried that when I first downloaded the Secunia tool, it used 50% of the CPU resources for a long time (about 3-5 minutes). However, it seems it was only running its initial scan of my system, as it soon popped up a message about the system - and then its CPU usage subsided to 0-1%. I'm normally pretty good about updates and have both Windows and my virus-checker set to automatic. Although it was odd that, when I visited the Windows update site as you requested, there were 3 updates that needed to be done. So maybe I shouldn't just rely on the auto-update setting I have and should check manually every 2 weeks or so as well? As I say, though, everything seems good now and I can't thank you enough for your patience and help in sorting out my problem. You (and all your colleagues on this site) are the best! Best wishes Brian Wilks

#14 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 01 December 2011 - 01:14 PM

You're welcome

I'm normally pretty good about updates and have both Windows and my virus-checker set to automatic. Although it was odd that, when I visited the Windows update site as you requested, there were 3 updates that needed to be done. So maybe I shouldn't just rely on the auto-update setting I have and should check manually every 2 weeks or so as well?

Normally important updates should be offered automatically when automatic updating is set. Anyway, checking Windows Update back occasionally will guarantee you get all of those important ones

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

#15 Blade81

SuperMember

Visiting Fellow
1,065 posts

Interests:Floorball, football, music, computers..

Posted 12 December 2011 - 10:45 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 ASAP & UNITE member since 2006

Body Background

skin color theme