Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting search engine results and random pop ups


  • This topic is locked This topic is locked
11 replies to this topic

#1 cowboyrob3

cowboyrob3

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 22 May 2010 - 02:04 AM

When clicking on search results from Google or Bing, I am redirected to other search engines or unrelated websites. A few times a new browser window has randomly popped up without the result of clicking on anything and with the pop-up blocker turned on. The computer has slowed to a crawl (which may be due in part to adding a virus detection software). This is an older laptop used only occassionally.

Would really like to get rid of the redirects and the burden on the system.

Thank you.


DDS (Ver_10-03-17.01) - FAT32x86
Run by User at 1:18:13.85 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.17 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
SVCHOST.EXE
C:\WINDOWS\system32\Atievxx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.computer-adviser.com/ie-hijacked.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus xtreme g\AirPlus.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-21 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-21 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-21 242896]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-19 65584]
R3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [2005-9-21 281600]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [2005-9-21 55999]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [2005-9-21 174464]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [2005-9-21 701386]

=============== Created Last 30 ================

2010-05-22 02:39:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 02:39:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-21 12:53:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-21 12:53:09 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-21 12:52:44 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-21 12:52:05 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-21 12:51:59 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-05-21 12:44:18 0 d-----w- c:\program files\AVG
2010-05-21 12:43:29 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-05-21 05:06:16 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-05-21 05:06:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-08 20:10:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 16:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-02 02:14:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 1:20:55.92 ===============

Attached Files


Edited by cowboyrob3, 22 May 2010 - 10:44 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,520 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 25 May 2010 - 05:31 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#3 cowboyrob3

cowboyrob3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 25 May 2010 - 09:11 AM

Thank you for helping with this. The OTL.log, OTL Extras.log and the gmer.log are copied below. My problem is the same as described in my first post. Search results from google and bing (and others?) are redirected to various sites. Occassionally a new IE window will pop up when the computer is sitting idle. Also, I noticed when looking at process from ctl-alt-del that an instance of svchost.exe will sometimes be running at 90+% and using upwards of 100,000k of memory. The computer slows to a crawl and may take ten minutes to navigate to a new website. This morning it seemed to be working more or less ok speed wise, but I hadn't gone to any other website except this one since booting up. However, when trying to post this message, I kept getting a connection error and then I opened my yahoo.com email to try to send the message to myself to post this reponse from another computer and I started getting redirects and pop ups at that time. I finally got it posted by getting the yahoo email to go through and posting from another computer, but it took several tries before getting even yahoo's email to work from the infected computer.


OTL logfile created on: 5/25/2010 8:24:08 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 58.00 Mb Available Physical Memory | 23.00% Memory free
492.00 Mb Paging File | 192.00 Mb Available in Paging File | 39.00% Paging File free
Paging file location(s): C:\pagefile.sys 256 512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.61 Gb Total Space | 9.64 Gb Free Space | 51.79% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DSSLAPTOP
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/25 08:23:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2010/05/21 07:50:20 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/05/21 07:50:20 | 000,620,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/05/21 07:50:14 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/05/21 07:50:08 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/05/21 07:49:30 | 002,064,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/05/21 07:48:24 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/10/26 16:35:30 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2009/10/26 16:34:48 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2009/10/26 16:16:38 | 000,071,000 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\ssonsvr.exe
PRC - [2008/04/13 19:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 22:16:38 | 000,039,792 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
PRC - [2003/10/24 15:41:02 | 000,512,082 | ---- | M] (D-Link) -- C:\Program Files\D-Link AirPlus Xtreme G\AIRPLUS.exe


========== Modules (SafeList) ==========

MOD - [2010/05/25 08:23:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
MOD - [2008/04/13 19:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/21 07:48:24 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/04/19 10:25:38 | 000,430,152 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)


========== Driver Services (SafeList) ==========

DRV - [2010/05/21 07:53:16 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/05/21 07:52:46 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/05/21 07:52:44 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/02/23 20:53:24 | 000,011,861 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) WPA Security Protocol (IEEE 802.1x)
DRV - [2009/10/19 18:58:22 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2004/05/12 02:47:00 | 000,351,840 | R--- | M] (D-Link) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2001/08/17 13:28:02 | 000,701,386 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WDHAALBA.sys -- (WDHAALBA)
DRV - [2001/08/17 12:48:40 | 000,281,600 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atimtai.sys -- (atimtai)
DRV - [2001/08/17 12:19:48 | 000,174,464 | ---- | M] (ESS Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es198x.sys -- (maestro) ESS Maestro 3 Audio Driver (WDM)
DRV - [2001/08/17 12:10:56 | 000,055,999 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EL556ND5.sys -- (EL556ND5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
IE - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 5B 0A 89 69 F9 CA 01 [binary data]
IE - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/12 13:19:40 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G\AIRPLUS.exe (D-Link)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1177238915-1343024091-1060284298-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/21 20:57:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/25 08:23:21 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/05/22 01:29:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\gmer
[2010/05/22 00:52:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\avz
[2010/05/21 21:39:43 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/21 21:39:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/05/21 21:37:17 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\User\My Documents\spybotsd162.exe
[2010/05/21 07:53:18 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/05/21 07:53:09 | 000,242,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/05/21 07:52:44 | 000,216,200 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/05/21 07:52:36 | 000,029,512 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/05/21 07:52:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/05/21 07:51:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/05/21 07:44:18 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/05/21 07:43:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/05/21 07:33:31 | 002,131,808 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\User\My Documents\avg_free_stb_all_9_114_cnet.exe
[2010/05/21 04:05:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/05/21 04:05:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/05/21 00:06:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Malwarebytes
[2010/05/21 00:06:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/21 00:04:50 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\My Documents\mbam-setup-1.46.exe
[2010/05/18 23:30:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/18 23:30:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/08 15:10:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/05/08 15:09:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Citrix
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/25 08:23:24 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2010/05/25 08:21:30 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/25 08:20:24 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/25 08:20:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/22 19:05:44 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/05/22 19:05:44 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/05/22 09:30:58 | 060,263,185 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/22 01:27:50 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\User\Desktop\gmer.zip
[2010/05/22 01:12:24 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2010/05/22 00:58:08 | 000,117,689 | ---- | M] () -- C:\Documents and Settings\User\My Documents\avz_sysinfo.htm
[2010/05/22 00:58:08 | 000,049,697 | ---- | M] () -- C:\Documents and Settings\User\My Documents\avz_sysinfo.xml
[2010/05/21 21:40:18 | 000,000,837 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Spybot - Search & Destroy.lnk
[2010/05/21 21:37:04 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\User\My Documents\spybotsd162.exe
[2010/05/21 07:53:36 | 000,001,411 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/05/21 07:53:28 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/05/21 07:53:16 | 000,242,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/05/21 07:52:46 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/05/21 07:52:44 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/05/21 07:52:38 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/05/21 07:33:38 | 002,131,808 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\User\My Documents\avg_free_stb_all_9_114_cnet.exe
[2010/05/21 07:24:54 | 004,312,538 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/05/21 00:04:52 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\User\My Documents\mbam-setup-1.46.exe
[2010/05/01 18:50:36 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/22 01:27:52 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\User\Desktop\gmer.zip
[2010/05/22 01:12:34 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\User\Desktop\dds.scr
[2010/05/22 00:58:07 | 000,117,689 | ---- | C] () -- C:\Documents and Settings\User\My Documents\avz_sysinfo.htm
[2010/05/22 00:58:07 | 000,049,697 | ---- | C] () -- C:\Documents and Settings\User\My Documents\avz_sysinfo.xml
[2010/05/21 21:40:16 | 000,000,837 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Spybot - Search & Destroy.lnk
[2010/05/21 07:53:35 | 000,001,411 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 9.0.lnk
[2010/05/21 07:52:35 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/05/21 07:52:06 | 060,263,185 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2008/04/06 21:20:01 | 000,000,114 | ---- | C] () -- C:\WINDOWS\Webica.ini
[2007/12/27 21:50:27 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2005/09/21 21:20:30 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/07/08 00:13:16 | 000,651,264 | R--- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2003/07/08 00:13:16 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\ssleay32.dll
< End of report >



OTL Extras logfile created on: 5/25/2010 8:24:08 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 58.00 Mb Available Physical Memory | 23.00% Memory free
492.00 Mb Paging File | 192.00 Mb Available in Paging File | 39.00% Paging File free
Paging file location(s): C:\pagefile.sys 256 512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.61 Gb Total Space | 9.64 Gb Free Space | 51.79% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DSSLAPTOP
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00170409-78E1-11D2-B60F-006097C998E7}" = Microsoft Word 2000 SR-1
"{15A0B3F2-A344-4F55-A93F-B5DF60887BF5}" = Citrix online plug-in (SSON)
"{247530E4-36A9-4599-A08D-A32E834538B5}" = Citrix online plug-in (DV)
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{52A5F706-2FCC-4C14-9E9A-345C2DCB25E9}" = D-Link AirPlus Xtreme G Adapter
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{94A72E42-1C45-4728-A6B0-AD80D106291E}" = Citrix online plug-in (HDX)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5732C42-99B9-41F2-80A6-0AEF04C4E19C}" = Citrix online plug-in (Web)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F7168F20-F0EE-43EE-A780-A2AF66BD2597}" = Citrix online plug-in (USB)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AVG9Uninstall" = AVG Free 9.0
"CitrixOnlinePluginFull" = Citrix online plug-in
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 1/31/2009 11:19:11 AM | Computer Name = DSSLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/31/2009 11:19:11 AM | Computer Name = DSSLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/31/2009 11:19:11 AM | Computer Name = DSSLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: 12175 (0x2f8f)

Error - 1/31/2009 11:19:11 AM | Computer Name = DSSLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 1/31/2009 11:19:11 AM | Computer Name = DSSLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: 12175 (0x2f8f)

Error - 1/31/2009 11:19:11 AM | Computer Name = DSSLAPTOP | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This network connection does not exist.

Error - 2/4/2009 11:22:45 PM | Computer Name = DSSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16762, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/24/2009 11:02:25 PM | Computer Name = DSSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16827, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/25/2009 1:02:52 AM | Computer Name = DSSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16850, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/30/2009 9:30:08 PM | Computer Name = DSSLAPTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16850, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/21/2010 8:26:19 AM | Computer Name = DSSLAPTOP | Source = SideBySide | ID = 16842810
Description = Syntax error in manifest or policy file "C:\Program Files\Citrix\ICA
Client\Microsoft.VC80.MFCLOC.MANIFEST" on line 5.

Error - 5/21/2010 8:26:19 AM | Computer Name = DSSLAPTOP | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Citrix\ICA
Client\MFC80.DLL. Reference error message: The operation completed successfully.
.

Error - 5/21/2010 8:26:29 AM | Computer Name = DSSLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/21/2010 8:26:29 AM | Computer Name = DSSLAPTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/22/2010 12:05:21 AM | Computer Name = DSSLAPTOP | Source = BROWSER | ID = 8032
Description = The browser service has failed to retrieve the backup list too many
times on transport \Device\NetBT_Tcpip_{4711F901-DD99-483D-B1B1-2CBAB92FCA72}. The
backup browser is stopping.

Error - 5/22/2010 10:23:32 AM | Computer Name = DSSLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/22/2010 10:23:32 AM | Computer Name = DSSLAPTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 9:20:23 AM | Computer Name = DSSLAPTOP | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 5/25/2010 9:20:23 AM | Computer Name = DSSLAPTOP | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 5/25/2010 9:23:23 AM | Computer Name = DSSLAPTOP | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 08:46:49
Windows 5.1.2600 Service Pack 3
Running: h429fkbn.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\uxldipod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[928] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[928] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FD000A
.text C:\WINDOWS\Explorer.EXE[1672] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1672] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1672] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by cowboyrob3, 25 May 2010 - 09:16 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,520 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 25 May 2010 - 10:47 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#5 cowboyrob3

cowboyrob3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 25 May 2010 - 11:18 PM

Thank you. I ran combofix and it detected a rootkit infection. Here is the log:


ComboFix 10-05-25.02 - User 05/25/2010 22:59:30.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.25 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-22 02:39 . 2010-05-22 02:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-22 02:39 . 2010-05-22 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-22 02:33 . 2010-04-19 15:25 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-05-21 12:53 . 2010-05-21 12:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-21 12:53 . 2010-05-21 12:53 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-21 12:52 . 2010-05-21 12:52 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-21 12:52 . 2010-05-21 12:52 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-21 12:52 . 2010-05-21 12:52 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-21 12:51 . 2010-05-21 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-21 12:44 . 2010-05-21 12:44 -------- d-----w- c:\program files\AVG
2010-05-21 12:43 . 2010-05-21 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-21 09:05 . 2010-05-21 09:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-21 05:06 . 2010-05-21 05:06 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2010-05-21 05:06 . 2010-05-21 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 20:10 . 2009-10-26 21:03 66928 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_zh-TW.dll
2010-05-08 20:10 . 2009-10-26 21:02 66928 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_zh-CN.dll
2010-05-08 20:10 . 2009-10-26 21:02 75120 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_ru.dll
2010-05-08 20:10 . 2009-10-26 21:38 1049952 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpress.exe
2010-05-08 20:10 . 2009-10-26 21:04 71024 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_ko.dll
2010-05-08 20:10 . 2009-10-26 21:01 71024 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_ja.dll
2010-05-08 20:10 . 2009-10-26 21:00 75120 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_fr.dll
2010-05-08 20:10 . 2009-10-26 20:59 75120 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_es.dll
2010-05-08 20:10 . 2009-10-26 20:59 75120 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_de.dll
2010-05-08 20:10 . 2009-10-26 20:58 75120 ----a-w- c:\documents and settings\All Users\Application Data\Citrix\Citrix online plug-in\TrolleyExpressUI_en.dll
2010-05-08 20:10 . 2010-05-08 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-05-08 20:09 . 2010-05-08 20:09 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-10 06:15 . 2004-08-12 18:32 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-12 18:33 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-10-26 103768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus Xtreme G Configuration Utility.lnk - c:\program files\D-Link AirPlus Xtreme G\AirPlus.exe [2010-2-23 512082]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-21 12:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/21/2010 7:52 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/21/2010 7:53 AM 242896]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/19/2009 6:58 PM 65584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/21/2010 7:48 AM 308064]
R3 atimtai;atimtai;c:\windows\system32\drivers\atimtai.sys [9/21/2005 6:33 PM 281600]
R3 EL556ND5;3Com 10/100 MiniPCI Ethernet Adapter Driver;c:\windows\system32\drivers\EL556ND5.sys [9/21/2005 6:32 PM 55999]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [9/21/2005 6:32 PM 174464]
R3 WDHAALBA;WDHAALBAMiniPCI Winmodem;c:\windows\system32\drivers\WDHAALBA.sys [9/21/2005 6:31 PM 701386]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [5/21/2010 7:51 AM 430152]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bleepingcomputer.com/forums/topic34773.html
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 23:08
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\Citrix\ICA Client\pnsson.dll

- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-25 23:12:35
ComboFix-quarantined-files.txt 2010-05-26 04:12

Pre-Run: 10,212,802,560 bytes free
Post-Run: 10,314,481,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9E02D0E1AA571048E2DD89FCAEECA7C4


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,520 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 26 May 2010 - 03:13 AM

Hello again,
Please visit the adobe website and install the latest version of Adobe reader. Older versions are known to have security vulnerabilities.

Please let me know how things are running now.

UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#7 cowboyrob3

cowboyrob3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 26 May 2010 - 07:36 PM

Things seem to be operating much better. Thank you so much! The MBAM log is copied below. Anything left to do? Do I need to uninstall the various programs (DDS, OTL, GMER, Combofix, Malware bytes, etc.)?


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4145

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/26/2010 10:01:00 AM
mbam-log-2010-05-26 (10-01-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 146190
Time elapsed: 1 hour(s), 13 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,520 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 27 May 2010 - 11:37 AM

Not so fast laugh.gif Lets first make things are indeed clean and then uninstall/remove all tools.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#9 cowboyrob3

cowboyrob3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 27 May 2010 - 11:45 PM

Thank you. Here is the report from ESET:


C:\Documents and Settings\User\Local Settings\Application Data\Identities\{361EC05B-4DB4-46F9-8B6E-F81DD4C8ED87}\Microsoft\Outlook Express\Sent Items.dbx Eicar test file unable to clean
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,520 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 28 May 2010 - 04:07 AM

Hello again,

Infected Outlook Express
The online scan log indicates that there are infected emails in the Inbox folder in Outlook Express.

Please delete the emails in your Inbox folder - keep only the emails that are of extreme importance. After you finish deleting the emails, please right click on the Deleted Items folder and click Empty 'Deleted Items' Folder.

Having removed all your unwanted Emails completely it is now wise to Compact all your remaining Emails. Compacting makes the size of the folders smaller by compacting the files contained within them. All the Emails are still readable and still intact just smaller.

To do this click from the top toolbar File / Folder / Compact All Folders


ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


#11 cowboyrob3

cowboyrob3
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 29 May 2010 - 06:48 PM

Thank you. I've read your latest post and my computer is working fine. I really appreciate your help.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 53,520 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 AM

Posted 30 May 2010 - 02:14 AM

You are welcome smile.gif

This topic will now be closed. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.
regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


banner.png

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users