23 replies to this topic

[LoPhatPhuud]

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it at least 20-30 minutes to finish if needed.

[smurf_inferno]

Okay. Thanks for the guidance. I'm going to run ComboFix in a few minutes, and when I'm done I'll post the logs and results. I'm a bit nervous. I feel I've lost track of exactly what I'm trying to fix. Here are the symptoms that I'm currently experiencing.

1) The ping.exe, if that is what it is, does not seem to be having the same disabling effect on my computer. But just looking at the little WiFi console icon in my task tray (thank you, XP), it looks like my computer is doing a lot of talking to the internet, and it seems like more than ususal.

2) I use Firefox 9.0.1. Beginning earlier this week, Monday I think, new tabs have begun to open, seemingly spontaneously, when I navigate across the web. These new tabs often open web pages I've never been to, like News7.tv. Beginning Wednesday, whole new browser windows have begun to open with 12 active tabs. I have not been able to track down what is causing it.

3) Most disturbingly, on Dec. 23, I lost connection to the Microsoft Exchange server which delivers my e-mail to my computer. I can neither use Outlook from home or work (two different WiFi systems, and at work a direct line with WiFi turned off). In addition, when I'm at work, my computer no longer loads the school servers. With the Outlook issue, I've tried rebooting, repair, and troubleshoot, but nothing has worked.

The upshot with this latter is that if I cannot fix it, the tech people at work next week will do a clean install on my computer, and all the hours we've spent this last week or two will be for naught. And I will have learned nothing, because re-imaging doesn't explain the problem it fixed.

So there you are. I'm crossing my fingers about ComboFix, but if you have ideas, I'm listening. Thanks again. - R

[smurf_inferno]

Here's the ComboFix file:

ComboFix 11-12-30.01 - rfindlay 12/30/2011 12:26:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2007.1518 [GMT -6:00]
Running from: c:\documents and settings\rfindlay\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\rfindlay\WINDOWS
c:\windows\$NtUninstallKB61402$
c:\windows\$NtUninstallKB61402$\3393791379\@
c:\windows\$NtUninstallKB61402$\3393791379\bckfg.tmp
c:\windows\$NtUninstallKB61402$\3393791379\cfg.ini
c:\windows\$NtUninstallKB61402$\3393791379\Desktop.ini
c:\windows\$NtUninstallKB61402$\3393791379\keywords
c:\windows\$NtUninstallKB61402$\3393791379\kwrd.dll
c:\windows\$NtUninstallKB61402$\3393791379\L\erhheinl
c:\windows\$NtUninstallKB61402$\3393791379\lsflt7.ver
c:\windows\$NtUninstallKB61402$\3393791379\U\00000001.@
c:\windows\$NtUninstallKB61402$\3393791379\U\00000002.@
c:\windows\$NtUninstallKB61402$\3393791379\U\00000004.@
c:\windows\$NtUninstallKB61402$\3393791379\U\80000000.@
c:\windows\$NtUninstallKB61402$\3393791379\U\80000004.@
c:\windows\$NtUninstallKB61402$\3393791379\U\80000032.@
c:\windows\$NtUninstallKB61402$\717081708
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\autochk.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-30 18:42 . 2011-12-30 18:42 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{424D5E6A-5D0C-4058-A653-D17FEC387BDD}\offreg.dll
2011-12-30 18:14 . 2008-04-13 19:19 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-30 17:43 . 2011-12-30 17:43 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2011-12-30 17:43 . 2011-12-30 17:43 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2011-12-30 17:43 . 2011-12-30 17:43 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2011-12-30 17:43 . 2011-12-30 17:43 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2011-12-29 19:26 . 2011-11-21 08:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{424D5E6A-5D0C-4058-A653-D17FEC387BDD}\mpengine.dll
2011-12-28 19:17 . 2011-12-28 19:17 -------- d-----w- c:\documents and settings\rfindlay\Local Settings\Application Data\PCHealth
2011-12-27 22:49 . 2011-12-27 22:49 -------- d-----w- c:\program files\Sophos
2011-12-24 21:09 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-24 18:05 . 2011-12-24 18:05 -------- d-----w- c:\documents and settings\rfindlay\Local Settings\Application Data\SanctionedMedia
2011-12-15 01:56 . 2011-11-21 08:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-13 14:44 . 2011-12-13 14:45 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-13 14:28 . 2011-12-30 18:23 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-12-13 14:27 . 2011-12-13 14:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-02 15:36 . 2011-12-02 15:36 -------- d-----w- C:\_OTL
2011-12-01 14:58 . 2011-12-01 14:58 -------- d-----w- c:\documents and settings\rfindlay\Application Data\Malwarebytes
2011-12-01 14:58 . 2011-12-01 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-01 14:57 . 2011-12-24 21:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2007-11-24 01:42 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2007-11-24 01:42 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2007-11-24 01:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2007-11-24 01:41 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2007-11-24 01:41 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2007-11-24 01:41 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2007-11-24 01:40 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2004-08-03 23:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2007-11-24 01:41 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2007-11-24 02:57 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-12-30 17:43 . 2011-11-10 04:26 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThpSrv"="c:\windows\system32\thpsrv" [X]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-10-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-10-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-10-15 137752]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"TabletWizard"="c:\windows\help\SplshWrp.exe" [2008-04-14 16384]
"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2008-04-14 271872]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"CrossMenu"="c:\program files\TOSHIBA\CrossMenu\CrossMenu.exe" [2007-10-12 806912]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2007-08-23 258048]
"000StTHK"="000StTHK.exe" [2001-06-23 24576]
"NDSTray.exe"="NDSTray.exe" [BU]
"TAcelMgr"="c:\program files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe" [2004-12-16 90112]
"TSkrMain"="c:\program files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe" [2004-07-01 49152]
"TFncKy"="TFncKy.exe" [BU]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]
"TFNF5"="TFNF5.exe" [2006-04-11 622592]
"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]
"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]
"TPSODDCtl"="TPSODDCtl.exe" [2007-11-01 126976]
"TPSMain"="TPSMain.exe" [2007-10-16 315392]
"TRot.exe"="c:\program files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe" [2006-07-21 327680]
"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]
"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]
"Snippet"="c:\program files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" [2005-02-25 68296]
"WTouchUser"="c:\windows\system32\WTouchUser.exe" [2007-09-27 107816]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
.
c:\documents and settings\rfindlay\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 11:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TosBtNP]
2006-07-22 03:54 65536 ----a-w- c:\windows\system32\TosBtNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TSigNP]
2007-11-14 05:17 65536 ----a-w- c:\windows\system32\TSigNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2980555543-3683109968-1093558053-1513\Scripts\Logoff\0\0]
"Script"=logoff.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2980555543-3683109968-1093558053-1513\Scripts\Logon\0\0]
"Script"=logon.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 12:19 PM 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 5:23 PM 6528]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [11/23/2007 10:34 PM 5888]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 2:22 PM 105856]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [11/23/2007 10:34 PM 126976]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 2:15 PM 134016]
R2 TTPDSrv;TOSHIBA Touch Pad Service;c:\windows\system32\TTPDSRV.exe [11/23/2007 10:09 PM 73728]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/2/2008 1:07 PM 1464856]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [1/1/2000 8:58 AM 95528]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/24/2007 12:11 PM 36608]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [11/23/2007 10:45 PM 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [11/23/2007 10:33 PM 435072]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2/22/2007 2:55 PM 11312]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/1/2000 8:57 AM 30248]
S1 MpKsl27de8cf3;MpKsl27de8cf3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{424D5E6A-5D0C-4058-A653-D17FEC387BDD}\MpKsl27de8cf3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{424D5E6A-5D0C-4058-A653-D17FEC387BDD}\MpKsl27de8cf3.sys [?]
S1 MpKsl521fc1d8;MpKsl521fc1d8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C5B9F88-084E-465A-8DFB-59EFAB764905}\MpKsl521fc1d8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3C5B9F88-084E-465A-8DFB-59EFAB764905}\MpKsl521fc1d8.sys [?]
S2 gupdate1c9eaa49c0939da;Google Update Service (gupdate1c9eaa49c0939da);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2009 8:55 AM 133104]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [11/23/2007 7:41 PM 14336]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [12/13/2011 8:28 AM 17408]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/11/2009 8:55 AM 133104]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\28.tmp --> c:\windows\system32\28.tmp [?]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [5/2/2008 1:04 PM 14208]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/23/2007 7:41 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
NecUsbSevice REG_MULTI_SZ NecUsb
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
2011-12-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-11 12:56]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-11 14:55]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-11 14:55]
.
2011-12-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 21:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //newsurl:"news:alt.pulp"
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.2.25
FF - ProfilePath - c:\documents and settings\rfindlay\Application Data\Mozilla\Firefox\Profiles\uodrzgum.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/Result-- The nicest hobby on Earth ;) --t.aspx?ctid=CT2411669&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com//?oref=login
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NecUsb3Sevice - USB3Nw32.dll
SafeBoot-WinDefend
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 12:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\28.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\TSigNP.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(5220)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\ThpSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
c:\windows\system32\thpsrv.exe
c:\program files\Apoint2K\Apntex.exe
c:\windows\system32\TFNF5.exe
c:\windows\system32\igfxext.exe
c:\program files\TOSHIBA\TME3\TMETEMNU.EXE
c:\windows\system32\TPSODDCtl.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-30 12:51:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-30 18:51
.
Pre-Run: 69,991,927,808 bytes free
Post-Run: 71,084,523,520 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 128CD79BA4B0A83132526E924139E64D

[smurf_inferno]

In addition, I can now reconnect to Outlook and the Microsoft Exchange server. Yeah! I'll add a note if I see the Firefox spam continue.

This is good.

Thank you,
R

[LoPhatPhuud]

A comment in your post with Combofix log disturbs. You reference a corporate tech department. Is this a personal computer or a corporate owned computer?

Normally I will not work on corporate computers. That is what Corporate IT and Tech departments are for.

From our Guidelines for Posting in This Forum:


"Note:
The help provided by Gladiator Security Forums is for personal computers only, either singly, or on a small home network. We do not provide help for corporate or work environment computers."

[smurf_inferno]

This is my personal computer. But I use it for my school work. I am a teacher. My school has a tech department that fixes student computers (we have a 1-to-1 program), and I am able to avail myself of their services at times. However, they have only one "repair" option, and that is that they do a clean install.

I would hope that this doesn't make me a "corporate" entity. And I apologize for any confusion. -R

[LoPhatPhuud]

No problem. Does it seem we have solved most, if not all, of your issues after running Combofix. The ping.exe infection is usually resolved with CF but since it does invade operating system files. it's best to check before we continue.

[smurf_inferno]

It does seem like everything is solved at this point. I am experiencing none of the extreme memory usage that I attributed to the ping file, the spontaneous spammy browser tabs occurring with Firefox have quit, and I have access to my e-mail. The pop-up Run As window is long gone.

Thank you so much for the assistance. Just another reason to speak highly of your service. Which I hope I won't have to avail myself of for at least another few years. - R

[LoPhatPhuud]

Glad we could help...

Cleaning Up:

To Delete TFC:

* Delete the TFC icon on your Desktop

Delete OTL:

* Double click the OTL icon on your Desktop
* Press the 'Cleanup' button

Delete Security Check:

* Delete the SecurityCheck icon on your Desktop

Delete Malware Bytes:

* We recommend that you keep MalwareBytes (MBAM) and run it every week. There is no charge to keep the program however the real time protection will stop after the trial period. Be sure to update the definitions before each use. If you decide not to keep MBAM, use Add/Remove Programs to uninstall it.

Delete Sophos AntiRootkit

* If we asked you to install and run Sophos AntiRootkit program, uninstall it thru Add/Remove Programs.

Other Programs:

* If we asked you to install any other programs that are not removed by the OTL cleanup procesure, we will provide separate removal instructions.