Free Malware Removal Forum

[droidnoise]

I don't have Internet Explorer. It was corrupted when this whole virus thing started and I had to switch to Firefox.

[turtledove]

Hello droidnoise,

Do you have the software for your printer? If so, have you tried reinstalling it?
Copy these instructions to Notepad and save them if printer still not working.

Step 1
Online Multi Antivirus file scan

Please go to either: Jotti or Virus Total and upload the following file(s) for scanning:

c:\windows\system32\drivers\hdfmopkg.sys

Using Jotti

1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
2. Click on Submit..button.
3. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
4. When all scans have completed... Highlight the results text, beginning with "File...and select all text down to the last scan result.
5. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
6. Please repeat this procedure for each file listed above.
7. Paste the contents of all the Jotti scan results in your next reply.

OR

Using Virus Total

1. Please copy and paste... the above mentioned full path and file name...in the text box next to the Browse button.
2. Click on Send File...button.
3. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
4. When the scan is completed...press the "Compact" icon
5. The results will be shown in a grid like window...please Select and Copy the entire contents.
6. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
7. Please repeat this procedure for each file listed above.
8. Paste the contents of all the Virus Total results in your next reply.

Step 2

ESET online scannner


Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Please go Here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:

• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology
• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Step 3
SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code: Select all

      :filefind
      *proquota*
      

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found at on your Desktop entitled SystemLook.txt


Post
Answer about Printer
Jotti or VirusTotal Results
ESET Scan Results
SystemLook.txt

Thank you

TD

[droidnoise]

OK, CA antivirus is re-installed and updated, printer is working, google search results work correctly BUT... I don't have the file; c:\windows\system32\drivers\hdfmopkg.sys to proceed with these steps. Please advise

[turtledove]

Hello droidnoise,

Thanks for letting me know. Two things:
1. When you reinstalled the CA Antivirus, did it do a complete scan? If so, did it remove or quarantine anything?
2. Let's be sure that file isn't hidden.
*If you do not find the file this time proceed with the rest of the instructions

Step 1
Reconfigure Windows XP to show hidden files

To enable the viewing of Hidden files follow these steps:

• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and shutdown My Computer.
• Now your computer is configured to show all hidden files.

Step 2
Retry File Sumission
Please go to either: Jotti or Virus Total and upload the following file(s) for scanning:

c:\windows\system32\drivers\hdfmopkg.sys

Using Jotti

1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
2. Click on Submit..button.
3. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
4. When all scans have completed... Highlight the results text, beginning with "File...and select all text down to the last scan result.
5. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
6. Please repeat this procedure for each file listed above.
7. Paste the contents of all the Jotti scan results in your next reply.

OR

Using Virus Total

1. Please copy and paste... the above mentioned full path and file name...in the text box next to the Browse button.
2. Click on Send File...button.
3. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
4. When the scan is completed...press the "Compact" icon
5. The results will be shown in a grid like window...please Select and Copy the entire contents.
6. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
7. Please repeat this procedure for each file listed above.
8. Paste the contents of all the Virus Total results in your next reply.

*If the file is not found, please continue with these steps:

Step 3

ESET online scannner


Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Please go Here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  
• Now click on Advanced Settings and select the following:

• Scan for potentially unwanted applications
  
• Scan for potentially unsafe applications
  
• Enable Anti-Stealth Technology
• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  
• When completed the Online Scan will begin automatically.
  
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  
• Copy and paste that log as a reply to this topic.

Step 4
SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code: Select all

      :filefind
      *proquota*
      

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found at on your Desktop entitled SystemLook.txt


Post
Answer to questions
Jotti or VirusTotal Results if file found
ESET Scan Results
SystemLook.txt

Thank you

TD

[droidnoise]

Sorry this has gotten so complicated BUT, No, CA didn't find or quarantine anything. I performed the steps to show hidden files and still... "no file found". DID I have this, c:\windows\system32\drivers\hdfmopkg.sys file at one time? SHOULD I have it?

[turtledove]

Hello droidnoise,

Thanks for telling me. No worries. Please continue with the other steps for now.

Thank you

TD

[droidnoise]

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=4390db4ff388ba4a9d045b9c9bb775b2
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-19 02:03:26
# local_time=2009-08-18 09:03:26 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=4865 21 100 100 357569062500
# compatibility_mode=5889 61 66 100 750834168281250
# scanned=53286
# found=0
# cleaned=0
# scan_time=2777

[droidnoise]

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 21:16 on 18/08/2009 by O'Kelley (Administrator - Elevation successful)

No Context: :filefind

No Context: *proquota*

-=End Of File=-

[turtledove]

Hello droidnoise,

Thanks for the logs.
*Please Copy/Print for reference*

First
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FILE ::
c:\windows\system32\drivers\Start1Driver.SYS

Driver::
Start1Driver

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Please Open HijackThis
Select Scan and Save File
Post new log in next reply



Post
C:\ComboFix.txt
New HijackThis log
How is the Computer doing now?

Thank you
TD

[droidnoise]

It "seems" to be fine. Do the scans look good?

FILE ::
c:\windows\system32\drivers\Start1Driver.SYS

Driver::
Start1Driver


ComboFix 09-08-10.06 - O'Kelley 08/21/2009 8:03.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.256 [GMT -5:00]
Running from: c:\documents and settings\O'Kelley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\O'Kelley\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-19 01:14 . 2009-08-19 01:14 -------- d-----w- c:\program files\ESET
2009-08-17 12:43 . 2009-08-17 12:42 108368 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-08-17 12:43 . 2009-08-17 12:42 880560 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-08-17 12:40 . 2006-10-09 21:39 32528 ------w- c:\windows\system32\drivers\vetmonnt.sys
2009-08-17 12:40 . 2006-10-09 21:39 21648 ------w- c:\windows\system32\drivers\vetfddnt.sys
2009-08-17 12:40 . 2006-10-09 21:39 21392 ------w- c:\windows\system32\drivers\vet-rec.sys
2009-08-17 12:40 . 2006-10-09 21:39 26640 ------w- c:\windows\system32\drivers\vet-filt.sys
2009-08-17 12:40 . 2006-10-09 21:39 75280 ------w- c:\windows\system32\isafprod.dll
2009-08-17 12:40 . 2006-10-09 21:39 95760 ------w- c:\windows\system32\isafeif.dll
2009-08-17 12:40 . 2006-08-05 19:21 75280 ------w- c:\windows\system32\vetredir.dll
2009-08-14 19:41 . 2009-08-14 19:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2009-08-13 00:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 22:59 . 2009-08-10 22:59 -------- d-----w- C:\rsit
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 23:25 . 2009-08-17 13:22 -------- d-----w- c:\program files\Common Files\Scanner
2009-08-03 23:25 . 2009-02-18 18:54 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll
2009-08-03 22:19 . 2009-03-14 11:48 5120 ----a-w- c:\windows\system32\drivers\Start1Driver.SYS
2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 15:25 . 2008-05-13 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-20 08:12 . 2009-08-20 08:12 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.8
2009-08-20 08:12 . 2009-08-20 08:12 26640 ----a-w- c:\windows\system32\drivers\vet-filt.8
2009-08-20 08:12 . 2009-08-20 08:12 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.8
2009-08-20 08:12 . 2009-08-20 08:12 21392 ----a-w- c:\windows\system32\drivers\vet-rec.8
2009-08-20 00:11 . 2009-08-20 00:11 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.7
2009-08-20 00:11 . 2009-08-20 00:11 26640 ----a-w- c:\windows\system32\drivers\vet-filt.7
2009-08-20 00:11 . 2009-08-20 00:11 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.7
2009-08-20 00:11 . 2009-08-20 00:11 21392 ----a-w- c:\windows\system32\drivers\vet-rec.7
2009-08-19 16:10 . 2009-08-19 16:10 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.6
2009-08-19 16:10 . 2009-08-19 16:10 26640 ----a-w- c:\windows\system32\drivers\vet-filt.6
2009-08-19 16:10 . 2009-08-19 16:10 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.6
2009-08-19 16:10 . 2009-08-19 16:10 21392 ----a-w- c:\windows\system32\drivers\vet-rec.6
2009-08-19 08:09 . 2009-08-19 08:09 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.5
2009-08-19 08:09 . 2009-08-19 08:09 26640 ----a-w- c:\windows\system32\drivers\vet-filt.5
2009-08-19 08:09 . 2009-08-19 08:09 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.5
2009-08-19 08:09 . 2009-08-19 08:09 21392 ----a-w- c:\windows\system32\drivers\vet-rec.5
2009-08-19 00:08 . 2009-08-19 00:08 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.4
2009-08-19 00:08 . 2009-08-19 00:08 26640 ----a-w- c:\windows\system32\drivers\vet-filt.4
2009-08-19 00:08 . 2009-08-19 00:08 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.4
2009-08-19 00:08 . 2009-08-19 00:08 21392 ----a-w- c:\windows\system32\drivers\vet-rec.4
2009-08-18 16:07 . 2009-08-18 16:07 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.3
2009-08-18 16:07 . 2009-08-18 16:07 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.3
2009-08-18 16:07 . 2009-08-18 16:07 21392 ----a-w- c:\windows\system32\drivers\vet-rec.3
2009-08-18 16:07 . 2009-08-18 16:07 26640 ----a-w- c:\windows\system32\drivers\vet-filt.3
2009-08-18 08:06 . 2009-08-18 08:06 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.2
2009-08-18 08:06 . 2009-08-18 08:06 26640 ----a-w- c:\windows\system32\drivers\vet-filt.2
2009-08-18 08:06 . 2009-08-18 08:06 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.2
2009-08-18 08:06 . 2009-08-18 08:06 21392 ----a-w- c:\windows\system32\drivers\vet-rec.2
2009-08-18 00:05 . 2009-08-18 00:05 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.1
2009-08-18 00:05 . 2009-08-18 00:05 26640 ----a-w- c:\windows\system32\drivers\vet-filt.1
2009-08-18 00:05 . 2009-08-18 00:05 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.1
2009-08-18 00:05 . 2009-08-18 00:05 21392 ----a-w- c:\windows\system32\drivers\vet-rec.1
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:40 . 2009-07-17 12:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-03 23:25 . 2008-01-09 23:20 -------- d-----w- c:\program files\CA
2009-08-02 22:22 . 2009-07-06 18:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 04:37 . 2004-08-12 14:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-12 13:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-19 03:40 . 2008-01-20 23:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2004-08-12 13:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 12:22 . 2008-05-13 23:48 -------- d-----w- c:\program files\Google
2009-07-14 15:59 . 2009-07-14 15:59 -------- d-----w- c:\program files\Trend Micro
2009-07-14 04:43 . 2004-08-12 14:10 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 02:31 . 2008-01-20 23:16 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\AdobeUM
2009-07-07 18:58 . 2009-07-07 18:58 0 ----a-w- c:\windows\nsreg.dat
2009-07-06 23:00 . 2004-08-12 13:57 1033728 ----a-w- c:\windows\explorer.exe
2009-07-06 21:34 . 2008-01-10 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-06 18:43 . 2009-07-06 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-12 12:31 . 2004-08-12 14:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-01-05 18:48 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-12 14:09 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2006-10-09 177680]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe" [2009-08-17 333040]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2006-10-09 226832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 20:46 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R1 Start1Driver;Start1Driver;c:\windows\system32\drivers\Start1Driver.SYS [8/3/2009 5:19 PM 5120]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [8/3/2009 6:24 PM 128240]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
S1 hdfmopkg;hdfmopkg;\??\c:\windows\system32\drivers\hdfmopkg.sys --> c:\windows\system32\drivers\hdfmopkg.sys [?]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [1/12/2008 10:19 AM 17408]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/3/2009 6:25 PM 222448]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\O'Kelley\Desktop\SysProt\SysProtDrv.sys [8/13/2009 3:50 PM 44288]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CACCPROVSP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 16:54]

2009-08-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toast.net/start
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\O'Kelley\Application Data\Mozilla\Firefox\Profiles\i4innrkf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 08:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1396)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1604)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(4340)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-21 8:09
ComboFix-quarantined-files.txt 2009-08-21 13:09
ComboFix2.txt 2009-08-13 21:26
ComboFix3.txt 2009-08-13 20:39

Pre-Run: 141,136,891,904 bytes free
Post-Run: 141,490,204,672 bytes free

213 --- E O F --- 2009-08-13 08:03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:52 AM, on 8/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jin ... s-i586.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://photos-e.ak.fbcdn.net/photos-ak- ... 0_2925.jpg

--
End of file - 7492 bytes

[turtledove]

Hello droidnoise,

Lets retry that CF Script again. We need to update Combofix so we have it function correctly. We have only a few files to check on. We will take care of those, and updates in a bit. You're doing fine.

Step 1
Delete ONLY Combofix.exe, Not it's folders.
Download a New Copy from either link:
Link 1
Link 2

Next
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FILE::
c:\windows\system32\drivers\Start1Driver.SYS

SRPeek::
c:\windows\system32\proquota.exe

Driver::
Start1Driver

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

Please Open HijackThis
Select Scan and Save File
Post new log in next reply



Post
C:\ComboFix.txt
New HijackThis log
How is the Computer doing now?

Thank you
TD

[droidnoise]

ComboFix 09-08-21.02 - O'Kelley 08/22/2009 7:52.4.2 - NTFSx86
Running from: c:\documents and settings\O'Kelley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\O'Kelley\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

FILE ::
"c:\windows\system32\drivers\Start1Driver.SYS"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\Start1Driver.SYS

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_START1DRIVER
-------\Service_Start1Driver


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-19 01:14 . 2009-08-19 01:14 -------- d-----w- c:\program files\ESET
2009-08-17 12:43 . 2009-08-17 12:42 108368 ----a-w- c:\windows\system32\drivers\veteboot.sys
2009-08-17 12:43 . 2009-08-17 12:42 880560 ----a-w- c:\windows\system32\drivers\vetefile.sys
2009-08-17 12:40 . 2009-08-22 08:16 75280 ----a-w- c:\windows\system32\isafprod.dll
2009-08-17 12:40 . 2009-08-22 08:16 32528 ----a-w- c:\windows\system32\drivers\vetmonnt.sys
2009-08-17 12:40 . 2009-08-22 08:16 26640 ----a-w- c:\windows\system32\drivers\vet-filt.sys
2009-08-17 12:40 . 2009-08-22 08:16 21648 ----a-w- c:\windows\system32\drivers\vetfddnt.sys
2009-08-17 12:40 . 2009-08-22 08:16 21392 ----a-w- c:\windows\system32\drivers\vet-rec.sys
2009-08-17 12:40 . 2009-08-22 08:16 99904 ----a-w- c:\windows\system32\isafeif.dll
2009-08-17 12:40 . 2009-08-22 08:16 79424 ----a-w- c:\windows\system32\vetredir.dll
2009-08-14 19:41 . 2009-08-14 19:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2009-08-13 00:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 22:59 . 2009-08-10 22:59 -------- d-----w- C:\rsit
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 21:59 . 2009-08-10 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 21:59 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 23:25 . 2009-08-17 13:22 -------- d-----w- c:\program files\Common Files\Scanner
2009-08-03 23:25 . 2009-02-18 18:54 111856 ----a-w- c:\windows\system32\wbem\canvprov.dll
2009-07-29 04:37 . 2009-07-29 04:37 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:37 . 2009-07-29 04:37 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 16:26 . 2008-05-13 23:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 23:40 . 2009-07-17 12:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-03 23:25 . 2008-01-09 23:20 -------- d-----w- c:\program files\CA
2009-08-02 22:22 . 2009-07-06 18:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-29 04:37 . 2004-08-12 14:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-12 13:57 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-19 03:40 . 2008-01-20 23:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2004-08-12 13:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 12:22 . 2008-05-13 23:48 -------- d-----w- c:\program files\Google
2009-07-14 15:59 . 2009-07-14 15:59 -------- d-----w- c:\program files\Trend Micro
2009-07-14 04:43 . 2004-08-12 14:10 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 02:31 . 2008-01-20 23:16 -------- d-----w- c:\documents and settings\O'Kelley\Application Data\AdobeUM
2009-07-07 18:58 . 2009-07-07 18:58 0 ----a-w- c:\windows\nsreg.dat
2009-07-06 23:00 . 2004-08-12 13:57 1033728 ----a-w- c:\windows\explorer.exe
2009-07-06 21:34 . 2008-01-10 01:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-06 18:43 . 2009-07-06 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-12 12:31 . 2004-08-12 14:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-01-05 18:48 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-12 13:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-12 14:09 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
((((((((((((((((((((((((((((( SnapShot@2009-08-13_20.31.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 13:00 . 2009-08-22 13:00 40960 c:\windows\temp\rtdrvmon.exe
- 2009-08-13 20:30 . 2009-08-13 20:30 40960 c:\windows\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2004-04-15 270336]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-22 177392]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"CAPPActiveProtection"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe" [2009-08-17 333040]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-08-22 230664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-06-06 20:46 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"spkrmon"=2 (0x2)
"ose"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [1/5/2009 11:36 AM 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [11/18/2008 12:14 PM 72696]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\CA\CA Internet Security Suite\ccschedulersvc.exe [8/3/2009 6:24 PM 128240]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [12/12/2008 12:37 PM 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [12/10/2008 12:58 PM 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [12/19/2008 1:59 PM 297464]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [12/12/2008 12:37 PM 205304]
S1 hdfmopkg;hdfmopkg;\??\c:\windows\system32\drivers\hdfmopkg.sys --> c:\windows\system32\drivers\hdfmopkg.sys [?]
S3 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\BdHidCom.sys [1/12/2008 10:19 AM 17408]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/3/2009 6:25 PM 222448]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\O'Kelley\Desktop\SysProt\SysProtDrv.sys [8/13/2009 3:50 PM 44288]
S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-13 16:54]

2009-08-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toast.net/start
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
FF - ProfilePath - c:\documents and settings\O'Kelley\Application Data\Mozilla\Firefox\Profiles\i4innrkf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.toast.net/start/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 08:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(812)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll

- - - - - - - > 'explorer.exe'(2576)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-22 8:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 13:04
ComboFix2.txt 2009-08-21 13:09
ComboFix3.txt 2009-08-13 21:26
ComboFix4.txt 2009-08-13 20:39

Pre-Run: 141,279,543,296 bytes free
Post-Run: 141,407,170,560 bytes free

209 --- E O F --- 2009-08-13 08:03

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:19 AM, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CAPPActiveProtection] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - https://carelink.minimed.com/plugin/jin ... s-i586.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O24 - Desktop Component 0: (no name) - http://photos-e.ak.fbcdn.net/photos-ak- ... 0_2925.jpg

--
End of file - 7459 bytes

[turtledove]

Hello droidnoise,

We need to replace a missing file on your computer.

Do you have access to a Clean XP computer? And do you have the ability to use a USB drive or do you have CDR/CDRW disks only?
Please let me know. Then we will proceed.

Thank you

TD

[droidnoise]

I have a friend with XP. I assume you mean a USB memory stick (or do you mean a USB connected hard drive?) Actually, I have need for both and would be willing to go get either, assuming they would work afterword for a Mac as well. Thanks

[turtledove]

Hello droidnoise,

I would suggest a USB Stick for now. As far as working on a MAC later, it should.

*Print/Copy instructions for reference.*


On the clean computer do this:
View Hidden Files & Folders Windows XP
To view Hidden Files & Folders do the following:
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

* Plug your usb drive into the clean computer or copy to a CD
* Navigate to C:\Windows\System32\proquota.exe
* Copy the proquota.exe file to your usb drive by either drag/drop or copy/paste
* Once the proquota.exe file is on your usb drive unplug it from the clean computer & plug it into the other computer
* Open your usb drive or the CD & copy the proquota.exe file to the C:\Windows\System32 folder by either drag/drop or copy/paste

Run ComboFix again please (if it asks to update allow it to do so).

Post New Combofix log
Any problems, how computer is running now

Thank you
TD