sweetladoo
asked on
Trouble removing "Additional Guard" Rogue Software
I've been working on this XP Pro SP3 computer for an entire day! It has the Additional Guard rogue software on it.
It stopped the antivirus and Task Manager from working and browser hijacked to bogus sites.
I've run Malwarebytes AntiMalware, Smitfraudfix, SDFix. Removed over 700 infections. Still have it. Tried manual removal in safe mode using instructions found at various web sites - deleted specified registry keys, named files, tried to unreg the .dlls as instructed. This got the computer at least usable but Additional Guard is still running! And when I browse to Google.com it's a Netherlands home page!
Now I can access Task Manager but none of the processes match what is listed on the web. I used Process Explorer as well.
Anyone have any firsthand experience with this bug? I'm out of ideas at this point and the client can't run her business without the computer...
It stopped the antivirus and Task Manager from working and browser hijacked to bogus sites.
I've run Malwarebytes AntiMalware, Smitfraudfix, SDFix. Removed over 700 infections. Still have it. Tried manual removal in safe mode using instructions found at various web sites - deleted specified registry keys, named files, tried to unreg the .dlls as instructed. This got the computer at least usable but Additional Guard is still running! And when I browse to Google.com it's a Netherlands home page!
Now I can access Task Manager but none of the processes match what is listed on the web. I used Process Explorer as well.
Anyone have any firsthand experience with this bug? I'm out of ideas at this point and the client can't run her business without the computer...
Try OTS and show us the log.
Download OTS to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
http://oldtimer.geekstogo.
Open the OTS folder and double-click on OTS.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.
OR:
You can try this beta version of ComboFix, at your own risk.(NOTE: it is still beta)
http://download.bleepingco
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
We also need to see the logfile.
Download OTS to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
http://oldtimer.geekstogo.
Open the OTS folder and double-click on OTS.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.
OR:
You can try this beta version of ComboFix, at your own risk.(NOTE: it is still beta)
http://download.bleepingco
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
We also need to see the logfile.
ASKER
Ran Kaspersky CD Scanner, didn't find anything
ComboFix/Kittyfix log posted below. It recognized that Additional Guard was running but doesn't see it as rogue software
ComboFix/Kittyfix log posted below. It recognized that Additional Guard was running but doesn't see it as rogue software
ComboFix 09-12-17.03 - Host Susan 12/18/2009 10:59:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3518.2870 [GMT -5:00]
Running from: c:\temp\KittyFix.exe
AV: Additional Guard *On-access scanning enabled* (Updated) {2F2B00AB-E848-4B9B-9845-EF4620120D60}
AV: avast! antivirus 4.8.1368 [VPS 091218-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Additional Guard *enabled* {4583E239-6E7C-4AA8-A954-1FF4A8DFC208}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Fonts\RandFont.dll
c:\windows\kb913800.exe
c:\windows\system32\tmp.reg
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_PASSWORD
((((((((((((((((((((((((( Files Created from 2009-11-18 to 2009-12-18 )))))))))))))))))))))))))))))))
.
2009-12-18 15:57 . 2009-12-18 15:24 3857212 ----a-r- c:\temp\KittyFix.exe
2009-12-18 02:23 . 2009-12-18 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-17 22:59 . 2009-12-17 22:59 -------- d-----w- c:\documents and settings\Admin\Application Data\Online Backup
2009-12-17 16:16 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-17 16:16 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-17 16:16 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-12-17 16:16 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-17 16:16 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-12-17 16:16 . 2009-11-24 23:50 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-12-17 16:16 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-17 16:16 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-17 16:16 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-17 16:16 . 2009-12-17 16:16 -------- d-----w- c:\program files\Alwil Software
2009-12-17 16:03 . 2009-12-17 16:03 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2009-12-17 16:01 . 2009-12-17 16:01 -------- d-----w- c:\windows\ERUNT
2009-12-17 15:26 . 2009-12-17 12:32 793200 ----a-w- c:\temp\Norton_Removal_Tool.exe
2009-12-17 12:25 . 2009-12-17 12:25 -------- d-----w- c:\program files\Belarc
2009-12-17 12:25 . 2008-02-27 17:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2009-12-17 11:49 . 2009-12-17 11:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-17 11:45 . 2009-12-17 11:45 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-12-17 11:38 . 2009-12-17 11:38 -------- d-----w- c:\temp\SmitfraudFix
2009-12-17 03:48 . 2009-12-17 03:48 -------- d-----w- C:\SAV32CLI
2009-12-17 02:19 . 2009-12-17 02:20 1529241 ----a-w- C:\SDFix.exe
2009-12-17 02:19 . 2009-12-17 16:11 -------- d-----w- C:\SDFix
2009-12-17 02:18 . 2009-12-17 02:17 389120 ----a-w- c:\windows\system32\CF2632.exe
2009-12-16 16:16 . 2009-12-16 16:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-16 16:14 . 2009-12-18 15:57 -------- d-----w- C:\temp
2009-12-16 15:38 . 2009-12-17 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-16 15:21 . 2009-12-16 15:21 -------- d-----w- c:\documents and settings\TEST\Application Data\AVG8
2009-12-15 18:35 . 2009-12-15 18:35 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Intuit
2009-12-15 18:35 . 2009-12-15 18:35 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Identities
2009-12-15 18:35 . 2009-12-15 18:35 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Desktop Search
2009-12-15 18:33 . 2007-04-11 15:01 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Microsoft Help
2009-12-15 18:33 . 2006-09-07 02:49 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\ApplicationHistory
2009-12-15 18:33 . 2006-09-07 02:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Intuit
2009-12-15 18:33 . 2006-09-07 02:42 -------- d-----w- c:\documents and settings\Admin\WINDOWS
2009-12-15 18:33 . 2006-09-07 02:34 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Wildtangent
2009-12-15 18:33 . 2006-09-07 02:09 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
2009-12-15 18:33 . 2009-12-15 18:34 -------- d-----w- c:\documents and settings\Admin
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 06:26 . 2008-12-08 23:15 -------- d-----w- c:\documents and settings\TEST\Application Data\Online Backup
2009-12-18 06:14 . 2008-10-02 13:52 -------- d-----w- c:\program files\LogMeIn
2009-12-17 15:28 . 2006-09-07 03:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-16 15:19 . 2007-06-04 14:09 -------- d-----w- c:\program files\MSECACHE
2009-12-16 14:41 . 2008-12-04 23:23 4641 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-12-16 13:39 . 2006-09-07 02:04 -------- d-----w- c:\program files\GemMaster
2009-12-16 13:39 . 2006-09-07 02:44 -------- d-----w- c:\program files\DivX
2009-12-16 13:20 . 2008-12-03 23:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 13:20 . 2009-12-16 13:20 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-15 18:35 . 2009-12-15 18:33 104176 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-15 18:35 . 2009-12-15 18:33 128 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2009-12-09 08:06 . 2007-03-20 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 21:14 . 2008-12-03 23:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-12-03 23:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 00:06 . 2009-08-28 12:57 -------- d-----w- c:\documents and settings\TEST\Application Data\HpUpdate
2009-11-24 14:06 . 2006-09-07 02:09 -------- d-----w- c:\program files\Java
2009-11-24 14:05 . 2009-11-24 14:05 152576 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 14:05 . 2009-11-24 14:05 79488 ----a-w- c:\documents and settings\TEST\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 04:13 . 2008-02-27 15:09 -------- d-----w- c:\program files\Windows Live
2009-11-10 20:52 . 2007-06-13 21:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-29 07:45 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-09 21:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-09 21:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-09 21:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-09 21:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-09 21:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-09 21:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-01-22 17:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 18:14 . 2009-10-10 18:14 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-08 20:42 . 2009-06-03 17:53 104176 ----a-w- c:\documents and settings\user2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 06:31 . 2008-12-05 02:28 816392 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-10-01 16:51 . 2008-10-02 13:53 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 16:51 . 2008-10-02 13:53 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-01 16:51 . 2008-08-27 18:44 28984 ----a-w- c:\windows\system32\LMIport.dll
2008-07-18 13:16 . 2008-07-18 13:16 0 -c--a-w- c:\program files\error.dat
2008-03-10 13:49 . 2008-03-09 18:31 88 -csh--r- c:\windows\system32\A4E32A147C.sys
2008-03-10 13:49 . 2008-03-09 18:31 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"OnlineBackupScheduler"="c:\program files\QuickBooks Online Backup\OnlineBackup.exe" [2007-11-02 610304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort9reminder"="c:\program files\ScanSoft\PaperPort\WebEreg\Ereg.exe" [2004-10-27 729088]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-31 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\Admin\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]
c:\documents and settings\user2\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]
c:\documents and settings\user7\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-6 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]
c:\documents and settings\QBDataServiceUser17.SUSANS\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-6 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Online Backup Scheduler.lnk - c:\windows\Installer\{A9255718-8A40-45F9-B738-93655FBD4F6F}\_C90BDFE323B95CEE248723.exe [2008-12-8 1078]
QuickBooks Database Server Manager.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe [2009-9-16 140576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 16:51 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^TEST^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\TEST\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^TEST^Start Menu^Programs^Startup^PinMcLnk.lnk]
path=c:\documents and settings\TEST\Start Menu\Programs\Startup\PinMcLnk.lnk
backup=c:\windows\pss\PinMcLnk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 15:43 69632 ----a-w- c:\windows\ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-02 23:19 77312 ----a-w- c:\windows\arpwrmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-03-02 20:32 630784 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-11-07 23:03 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 09:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
2004-06-07 14:05 106496 ----a-w- c:\windows\system32\ftutil2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter]
2006-10-30 16:00 192512 -c--a-w- c:\program files\BellSouth\HelpCenter\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 22:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-13 06:58 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 18:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 23:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 23:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 15:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 15:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 18:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-03-31 03:25 413696 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 22:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23 663552 -c--a-w- c:\windows\CREATOR\Remind_XP.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-10-25 08:57 16855552 ----a-w- c:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ------w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-29 13:34 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/17/2009 11:16 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2009 11:16 AM 20560]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/2/2008 8:53 AM 47640]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/11/2007 10:05 AM 20160]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 5:45 PM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
DPF: {30985566-E01F-11D2-85DB-EA44DE000000} - hxxp://www2.callsunshine.com/irthinternet/IrthInternetLibrary/IRTHMapDisplay.cab
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe
MSConfigStartUp-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 11:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(1076)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
.
**************************************************************************
.
Completion time: 2009-12-18 11:19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-18 16:19
Pre-Run: 197,874,225,152 bytes free
Post-Run: 197,802,184,704 bytes free
- - End Of File - - B0C8A2E2FCB61923CED8CAAEEF0C6695
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you rpggamergirl
If you do that make note of any deletions as if legit system files were infected and thus deleted, they would have to be replaced for the machie to boot correctly afterwards.