BleepingComputer.com: rootkit

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

rootkit Infected with

#1 User is offline   atloss 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 49
  • Joined: 10-April 08

Posted 06 November 2009 - 07:48 AM

Hi,
I have been informed by Garmanma that I have a rootkit infection and should post the info here for help in getting rid of it! I tried to run the DDS program but the same thing happens to it thathappens to my maleware and antispuware programs - they start to run then disappear off the screen. Here are the two logs that I was ablem to obtain:Running from: C:\Documents and Settings\Charles R Schultz\Desktop\SPYWARES\Win32kDiag.exe

Log file at : C:\Documents and Settings\Charles R Schultz\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB963027\KB963027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE8\KB976749-IE8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP218.tmp\ZAP218.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F6.tmp\ZAP2F6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP322.tmp\ZAP322.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP347.tmp\ZAP347.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{E1BBBAC5-2857-4155-82A6-54492CE88620}\{E1BBBAC5-2857-4155-82A6-54492CE88620}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Performance\WinSAT\DataStore\DataStore

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\38cc9246b0b2808f85d733169eec82d4\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe

[1] 2005-02-24 22:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 12:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 10:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB956844\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 12:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB969059\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB969497-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB971180-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971486\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB971961-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB972636-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973525\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB974112\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB974455-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB974571\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB975025\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB975467\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\38cc9246b0b2808f85d733169eec82d4\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe ()



Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\0de8973b-e900-47fd-a9ee-f45390b6df07\0de8973b-e900-47fd-a9ee-f45390b6df07

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\5d3b3f0b-0b10-47de-b66a-4aa593f8a9ab\5d3b3f0b-0b10-47de-b66a-4aa593f8a9ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\8385e098-4532-4f8b-8276-c066168f330e\8385e098-4532-4f8b-8276-c066168f330e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\af82f682-17d7-4d41-937f-80dd963083d2\af82f682-17d7-4d41-937f-80dd963083d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\b75de9fc-138b-49fe-9332-70d8a7d27b33\b75de9fc-138b-49fe-9332-70d8a7d27b33

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\e0e905fa-6f85-4270-b770-88ad266f2642\e0e905fa-6f85-4270-b770-88ad266f2642

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

Volume in drive C has no label.
Volume Serial Number is ECBB-BFD9

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 200,694,943,744 bytes free

Any help in getting rid of this dang thing would be appreciated11 Thanks :(

#2 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 06 November 2009 - 07:54 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Double click on ComboFix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 User is offline   atloss 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 49
  • Joined: 10-April 08

Posted 06 November 2009 - 08:38 AM

Here'sthe combofix log:ComboFix 09-11-05.05 - Charles R Schultz 11/06/2009 8:29.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2401 [GMT -5:00]
Running from: c:\documents and settings\Charles R Schultz\Desktop\SPYWARES\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-04 13:40 . 2009-11-04 13:40 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-04 12:38 . 2009-11-04 12:38 152576 ----a-w- c:\documents and settings\Charles R Schultz\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 20:53 . 2009-10-08 16:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-03 20:53 . 2009-10-08 16:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-03 20:53 . 2009-10-08 16:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-03 20:53 . 2009-10-08 16:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-03 20:53 . 2009-10-02 19:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-03 20:53 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2009-11-03 20:52 . 2009-09-24 13:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-03 20:52 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-03 20:52 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-03 20:52 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-03 20:52 . 2009-11-06 13:13 -------- d-----w- c:\program files\Spyware Doctor
2009-11-03 20:52 . 2009-11-03 20:54 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-03 20:52 . 2009-11-03 20:52 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\PC Tools
2009-11-03 20:52 . 2009-11-03 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-03 20:51 . 2009-11-06 13:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 15:39 . 2009-11-02 15:39 89888 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-02 14:42 . 2009-11-02 15:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-01 14:20 . 2009-11-01 14:20 117760 ----a-w- c:\documents and settings\Charles R Schultz\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-01 14:20 . 2009-11-01 14:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-01 14:20 . 2009-11-01 14:20 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\SUPERAntiSpyware.com
2009-11-01 12:19 . 2009-11-01 12:21 -------- d-----w- C:\$AVG
2009-11-01 12:18 . 2009-11-06 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-31 10:56 . 2009-11-06 12:18 0 ----a-r- c:\windows\win32k.sys
2009-10-15 18:43 . 2009-10-15 18:43 -------- d-----w- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\Blizzard Entertainment
2009-10-07 20:31 . 2009-10-07 20:31 -------- d-----w- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\WinZip
2009-10-07 20:31 . 2009-10-07 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 14:01 . 2009-06-30 20:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-04 13:36 . 2009-06-30 11:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-04 12:38 . 2009-05-16 19:45 -------- d-----w- c:\program files\Java
2009-11-02 14:42 . 2009-05-19 15:04 -------- d-----w- c:\program files\Lavasoft
2009-11-01 12:18 . 2009-05-16 16:30 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-01 12:18 . 2009-05-16 16:30 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-01 12:18 . 2009-05-16 16:30 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-01 12:18 . 2009-05-16 16:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-01 12:18 . 2009-05-16 16:30 -------- d-----w- c:\program files\AVG
2009-10-28 12:50 . 2009-05-19 15:04 -------- d-----w- c:\program files\Opera
2009-10-23 18:42 . 2009-05-16 17:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-21 14:46 . 2009-05-16 18:47 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Canon
2009-10-13 20:50 . 2009-05-17 12:26 -------- d-----w- c:\program files\Greetings Workshop
2009-10-11 09:17 . 2009-05-16 19:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 19:30 . 2009-07-02 10:28 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\Skype
2009-10-10 19:13 . 2009-07-02 10:34 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\skypePM
2009-10-07 20:29 . 2009-11-02 13:22 142710 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
2009-10-07 20:28 . 2009-08-31 10:35 -------- d-----w- c:\documents and settings\Charles R Schultz\Application Data\BitZipper
2009-09-27 18:44 . 2009-05-19 11:58 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-27 11:55 . 2009-09-27 11:55 -------- d-----w- c:\program files\IObit
2009-09-16 08:20 . 2009-11-03 20:52 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 11:20 . 2009-11-03 20:52 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 07:12 . 2009-11-03 20:52 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 06:01 . 2009-11-03 20:52 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-09-11 14:18 . 2001-08-18 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 11:37 . 2009-05-27 17:15 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 11:24 . 2009-05-16 15:22 89888 ----a-w- c:\documents and settings\Charles R Schultz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-29 08:08 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2001-08-18 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-21 19:59 . 2009-05-21 20:00 348160 ----a-w- c:\program files\opera\program\plugins\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"="c:\windows\system32\dumprep 0 -k" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"Adobe Reader Speed Launcher"="e:\adobe\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"combofix"="c:\combofix\CF18578.exe" [2009-11-06 389120]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Magic-i.lnk - e:\new folder\ArcSoft\HP Webcam\ArcSoft\Magic-i 3\Magic-i.exe [2009-7-6 530944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-01 12:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Button Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Button Manager.lnk
backup=c:\windows\pss\HP Button Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Magic-i.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Magic-i.lnk
backup=c:\windows\pss\Magic-i.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Charles R Schultz^Start Menu^Programs^Startup^Greetings Workshop Reminders.lnk]
path=c:\documents and settings\Charles R Schultz\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk
backup=c:\windows\pss\Greetings Workshop Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TBPanel"=c:\program files\Vtune\TBPanel.exe /A
"AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"f:\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=
"e:\\STEAM\\steamapps\\common\\quake\\Winquake.exe"=
"e:\\STEAM\\steamapps\\common\\quake\\qwcl.exe"=
"e:\\STEAM\\steamapps\\common\\quake\\Glquake.exe"=
"e:\\STEAM\\steamapps\\common\\quake\\glqwcl.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"f:\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"f:\\World of Warcraft\\Launcher.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\rundll32.exe"=
"f:\\World of Warcraft\\BackgroundDownloader.exe"=
"f:\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"f:\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"f:\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"f:\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/3/2009 3:52 PM 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/16/2009 11:30 AM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/16/2009 11:30 AM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/1/2009 7:18 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/1/2009 7:18 AM 285392]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/3/2009 3:53 PM 112592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/3/2009 3:52 PM 358600]
S3 taterto2.scr;taterto2.scr;\??\c:\windows\system32\drivers\taterto2.scr.sys --> c:\windows\system32\drivers\taterto2.scr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - hxxp://w4s2.work4sure.com/c/ge/w4sgeen9.exe
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - c:\program files\Media Access Startup\1.5.0.850\HPIEAddOn.dll
BHO-{35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - c:\program files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll
BHO-{F0626A63-410B-45E2-99A1-3F2475B2D695} - c:\program files\SGPSA\BHO.dll
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
AddRemove-{16B6279B-9FF5-41fb-8BF9-404324F5DD1F}}_is1 - c:\program files\Media Access Startup\1.5.0.850\unins000.exe
AddRemove-{1FB52AB3-5987-45a2-85E0-F3EC30DDDC29}}_is1 - c:\program files\Internet Saving Optimizer\3.4.0.4340\unins000.exe
AddRemove-{C5096216-7703-409E-B85A-8A6EE7395128}}_is1 - c:\program files\System Search Dispatcher\1.3.0.840\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 08:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
e:\new folder\ArcSoft\HP Webcam\ArcSoft\Magic-i 3\uMgiSvr.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\windows\system32\imapi.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-06 8:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 13:36

Pre-Run: 200,623,267,840 bytes free
Post-Run: 203,463,184,384 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - C5DD2458056FB8F5252F116EF6CF1481

#4 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 06 November 2009 - 06:16 PM

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


=====================


We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 User is offline   atloss 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 49
  • Joined: 10-April 08

Posted 07 November 2009 - 07:28 AM

1.
Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


.
Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\RootRepeal.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Administrator\Desktop\taterto2.scr: Access is denied.


..

...
Failed to open \\?\c:\\Documents and Settings\Charles R Schultz\Desktop\SPYWARES\RootRepeal.exe: Access is denied.




...

...

...

...

...
Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.




...

...

..
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


.

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe: Access is denied.


..

...

.
Failed to open \\?\c:\\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe: Access is denied.


..

...

...

.No reparse points found.

2.Running from: C:\Documents and Settings\Charles R Schultz\Desktop\SPYWARES\Win32kDiag.exe

Log file at : C:\Documents and Settings\Charles R Schultz\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe

[1] 2005-02-24 22:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 12:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)

[1] 2007-12-03 10:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB956844\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 06:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)

[1] 2008-11-15 12:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB969059\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB969497-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)

[1] 2007-11-30 07:39:22 755576 C:\WINDOWS\$hf_mig$\KB971180-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971486\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB971961-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB972636-IE8\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973525\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB974112\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\$hf_mig$\KB974455-IE8\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB974571\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB975025\update\update.exe (Microsoft Corporation)

[1] 2009-05-26 06:40:52 755576 C:\WINDOWS\$hf_mig$\KB975467\update\update.exe (Microsoft Corporation)

[1] 2008-07-09 02:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\38cc9246b0b2808f85d733169eec82d4\update\update.exe (Microsoft Corporation)

[1] 2008-07-08 08:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe ()

[2] 2008-11-10 12:44:06 62336 C:\System Volume Information\_restore{026E3728-F169-4E99-B915-CC47F6EA9103}\RP232\A0038628.exe ()





Finished!

Above are the two logs that you requested. Thanks :(

#6 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 07 November 2009 - 09:39 AM

We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\RootRepeal.exe"

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Administrator\Desktop\taterto2.scr"

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Charles R Schultz\Desktop\SPYWARES\RootRepeal.exe"

    "%userprofile%\desktop\inherit" "c:\Program Files\AVG\AVG8\avgcsrvx.exe"


  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.
=======================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

This post has been edited by Buckeye_Sam: 07 November 2009 - 09:39 AM

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 User is offline   atloss 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 49
  • Joined: 10-April 08

Posted 07 November 2009 - 03:35 PM

Following Maleware scan :Malwarebytes' Anti-Malware 1.41
Database version: 3118
Windows 5.1.2600 Service Pack 3

11/7/2009 3:35:33 PM
mbam-log-2009-11-07 (15-35-33).txt

Scan type: Quick Scan
Objects scanned: 116420
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{6160f76a-1992-4b17-a32d-0c706d159105} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{877f3eab-4462-44df-8475-6064eafd7fbf} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Internet Saving Optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Internet Saving Optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Media Access Startup (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{0ba0192d-94a5-45e3-b2b8-3ec5a1a0b5ec} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{2224e955-00e9-4613-a844-ce69fccaae91} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340 (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850 (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340\NP_20090716-131408.531.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340\NP_20090716-131713.703.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340\NP_20090716-163158.656.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340\NP_20090722-164246.750.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Internet Saving Optimizer\3.4.0.4340\NP_20090722-164354.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\config.md (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090716-131408.437.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090716-131713.703.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090716-163158.640.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090722-164246.671.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090722-164354.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-123248.062.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-124215.609.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-124345.765.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-124459.875.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-124643.859.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-124700.890.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-124906.234.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-125043.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-125341.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-130351.515.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-130825.109.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-131119.265.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-131143.656.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-131201.062.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-131207.953.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-131233.796.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-131240.781.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Debby M Schultz\Local Settings\Application Data\Media Access Startup\1.5.0.850\HJHP_20090731-133713.046.log (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

#8 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 07 November 2009 - 05:39 PM

How is your computer behaving now?
Any remaining issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 User is offline   atloss 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 49
  • Joined: 10-April 08

Posted 08 November 2009 - 07:40 AM

So far so good.I was out most of yesterday afternoon so I mhave not used it as much as I normally do but I'll give it a try today. Thanks so much for your help and a donation willbe made.
Chuck :(

#10 User is offline   atloss 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 49
  • Joined: 10-April 08

Posted 08 November 2009 - 08:41 AM

I have purchased Mcaffe's antivirus & antspyware program DO I need another seperate spyware program ( say a free one ) and if so whicdfh one is good! Thanks again for all your help.

Chuck

#11 User is offline   Buckeye_Sam 

  • Malware Expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 17,382
  • Joined: 23-December 04
  • Gender:Male
  • Location:Pickerington, Ohio

Posted 08 November 2009 - 11:26 AM

I always recommend at least two antispyware apps. In your case you could just keep Malwarebytes to support Mcafee and even consider another one such as Spybot also. For what it's worth, Mcafee is not a good antispyware program, so you will need to bump up security elsewhere.



We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image




==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above


  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls


  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware


  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users