locked
C:\WINDOWS\system32\msxml4.dll is not a valid Windows image!!!!

    Question

  • Please help. Here is the report from ComboFix.

     

    ComboFix 10-04-26.02 - Carpenter 04/26/2010  20:02:27.1.2 - x86
    Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.360 [GMT -5:00]
    Running from: c:\documents and settings\Carpenter\My Documents\Downloads\ComboFix.exe
    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
     * Created a new restore point
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    c:\recycler\S-1-5-21-3262063871-891380153-889118470-1003
    c:\windows\system32\Thumbs.db

    .
    (((((((((((((((((((((((((   Files Created from 2010-03-27 to 2010-04-27  )))))))))))))))))))))))))))))))
    .

    2011-02-27 04:02 . 2011-02-27 04:02 -------- d-----w- c:\program files\Elantech
    2010-04-17 23:24 . 2010-04-17 23:24 45056 ----a-r- c:\documents and settings\Carpenter\Application Data\Microsoft\Installer\{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
    2010-04-17 23:13 . 2005-07-08 04:55 4284 ------w- c:\windows\hphmdl02.dat
    2010-04-17 23:13 . 2005-07-08 04:55 51088 ----a-w- c:\windows\system32\drivers\hpzid412.sys
    2010-04-17 23:13 . 2005-07-08 04:55 21744 ----a-w- c:\windows\system32\drivers\HPZius12.sys
    2010-04-17 23:13 . 2005-07-08 04:55 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
    2010-04-17 23:12 . 2005-07-08 04:55 491520 ----a-w- c:\windows\system32\hphmon05.exe
    2010-04-17 23:12 . 2005-07-08 04:55 364544 ----a-w- c:\windows\system32\hphped05.exe
    2010-04-17 23:12 . 2005-07-08 04:55 270336 ----a-w- c:\windows\system32\HPZc3212.dll
    2010-04-17 23:12 . 2005-07-08 04:55 258048 ----a-w- c:\windows\system32\hpzcon09.dll
    2010-04-17 23:12 . 2005-07-08 04:55 192512 ----a-w- c:\windows\system32\hpzcoi09.dll
    2010-04-17 23:12 . 2005-07-08 04:55 135224 ----a-w- c:\windows\system32\hpzlnt09.dll
    2010-04-17 23:12 . 2005-07-08 04:55 6478 ----a-w- c:\windows\system32\hphmon05.dat

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-24 03:07 . 2010-04-24 03:07 -------- d-----w- c:\program files\Free Audio Pack
    2010-04-24 03:07 . 2010-04-24 03:07 -------- d-----w- c:\documents and settings\Carpenter\Application Data\FreeAudioPack
    2010-04-17 23:24 . 2010-04-17 23:13 19790 ----a-w- c:\windows\HPHins02.dat
    2010-04-17 23:24 . 2010-04-17 23:13 -------- d-----w- c:\program files\Hewlett-Packard
    2010-04-17 23:24 . 2010-04-17 23:23 -------- d-----w- c:\program files\HP
    2010-04-15 01:37 . 2009-02-19 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-03-24 03:34 . 2010-03-24 03:34 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
    2010-03-17 02:42 . 2010-03-17 02:41 -------- d-----w- c:\program files\iTunes
    2010-03-17 02:41 . 2010-03-17 02:41 -------- d-----w- c:\program files\iPod
    2010-03-17 02:41 . 2009-05-30 21:50 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-17 02:36 . 2010-03-17 02:36 -------- d-----w- c:\program files\QuickTime
    2010-03-17 02:31 . 2010-03-17 02:31 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-03-12 03:04 . 2010-03-10 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-03-10 18:34 . 2010-03-10 18:34 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
    2010-03-10 06:15 . 2010-02-19 17:21 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-09 04:16 . 2010-01-10 05:48 1 ----a-w- c:\documents and settings\Carpenter\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-02-25 06:24 . 2010-02-19 17:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2010-02-19 17:21 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-19 18:32 . 2010-02-19 18:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-02-16 14:08 . 2008-04-14 00:54 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-12 04:33 . 2010-02-19 17:21 100864 ----a-w- c:\windows\system32\6to4svc.dll
    2010-02-11 12:02 . 2010-02-19 17:21 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
    2010-01-28 14:03 . 2010-01-28 14:03 348160 ----a-w- c:\documents and settings\Carpenter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fea1224-n\msvcr71.dll
    2010-01-28 14:03 . 2010-01-28 14:03 503808 ----a-w- c:\documents and settings\Carpenter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fea1224-n\msvcp71.dll
    2010-01-28 14:03 . 2010-01-28 14:03 499712 ----a-w- c:\documents and settings\Carpenter\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2fea1224-n\jmc.dll
    2010-01-28 14:03 . 2010-01-28 14:03 61440 ----a-w- c:\documents and settings\Carpenter\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-570e3f20-n\decora-sse.dll
    2010-01-28 14:03 . 2010-01-28 14:03 12800 ----a-w- c:\documents and settings\Carpenter\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-570e3f20-n\decora-d3d.dll
    2008-05-07 08:34 . 2009-02-19 19:07 15523560 ----a-w- c:\program files\U1 Setup.exe
    2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Carpenter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-29 133104]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-02-08 2343632]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-01-23 416768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
    "RTHDCPL"="RTHDCPL.EXE" [2009-02-13 17508864]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 176128]
    "HPHUPD05"="c:\program files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
    "HPHmon05"="c:\windows\system32\hphmon05.exe" [2005-07-08 491520]

    c:\documents and settings\Carpenter\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-2-19 376832]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-10-11 00:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/29/2009 12:15 PM 102448]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/19/2009 1:56 PM 1684736]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
    S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2/12/2009 9:27 AM 933504]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-04-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1992389753-195158480-2113872049-1006Core.job
    - c:\documents and settings\Carpenter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-29 19:25]

    2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1992389753-195158480-2113872049-1006UA.job
    - c:\documents and settings\Carpenter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-29 19:25]

    2010-04-24 c:\windows\Tasks\HP Usg Daily.job
    - c:\program files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2010-04-17 04:55]

    2010-01-26 c:\windows\Tasks\SmartDefrag.job
    - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-01-09 19:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://ui.skype.com/ui/0/3.6.0.248.179/en/go/promo.trybeforebuy
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath - c:\documents and settings\Carpenter\Application Data\Mozilla\Firefox\Profiles\w10odktw.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
    FF - plugin: c:\documents and settings\Carpenter\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\Carpenter\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-Symantec Antvirus

     

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-26 20:14
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ... 

    scanning hidden autostart entries ...

    scanning hidden files ... 

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-04-26  20:18:33
    ComboFix-quarantined-files.txt  2010-04-27 01:18

    Pre-Run: 31,120,142,336 bytes free
    Post-Run: 31,213,469,696 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 678A940EAB2459760B77BFC47DCD4B44

    Thursday, April 29, 2010 2:05 AM