Multiple problems, hopefully not fatal!

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Multiple problems, hopefully not fatal!

#1 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 10 November 2009 - 01:31 PM

Background: started having problems with my notebook a couple of weeks ago with the Security Tool fake virus notices. I was finally able to get Malwarebytes to run, and it seemed to clear it up. I did notice that I then started having Google searches redirected.

I update and run a Malwarebytes Quick scan daily upon startup. I run PCTools Spyware every evening. I use AVG free antivirus and run a full scan daily.

I even downloaded Stopzilla, which quaranteened files but won't remove them because I didn't pay for it.

I'm unemployed and am hoping to avoid having to pay someone to try to clean up my computer.

Newest problem: I noticed that the spyware program didn't launch last night. I tried to start it manually, but after a few minutes, it stopped responding. The only way to shut off the computer was to unplug it.

This morning, I tried again. Same thing. I restarted and tried to run Malwarebytes. It launched but also froze after a few minutes. The mouse moves around, but the clicks do nothing and the keyboard doesn't respond.

I'm typing this from my desktop.

I downloaded the DDS and Rootkey exe files to a flash drive and am attempting running them now, hoping the laptop won't freeze and I can then post the logs here.

#2 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 10 November 2009 - 01:49 PM

OK, it looks like I have the reports. Will post as three separate replies...

Here is the DDS.txt results:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Joan Fletc at 13:26:10.83 on Tue 11/10/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.362 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Cruise Shark\CruiseShark.exe
C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Documents and Settings\Joan Fletc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: SrchHook Class: {d3f669eb-57ce-4f45-8fbd-e245cbb46366} - c:\program files\stopzilla!\toolbar\SZIESearchHook.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\toolbar\SZSG.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7D962AFF-680D-483A-8D04-6B1ACDDF00E8} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\toolbar\SZSG.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: &Yapta: {c3c07ad6-ace9-43ee-a2af-45bc13f6275f} - c:\program files\yapta\YaptaSidebar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?dwin=1&id=jigsawpuzzles&year=09&month=11&day=6"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\joanfl~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cruise~1.lnk - c:\program files\cruise shark\CruiseShark.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\yapta\YaptaSettings.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0094A600-9BDD-4019-BAFE-487284F7D476} - {C3C07AD6-ACE9-43EE-A2AF-45BC13F6275F} - c:\program files\yapta\YaptaSidebar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} - hxxp://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257337155045
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.shockwave.com/content/goldrush/sis/gamehouseplayer.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/chainz2/sis/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} - hxxp://www.shockwave.com/content/davincicode/sis/DVC%20Download%20Control.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7E002D6-324B-4500-883D-84B620FD8640} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles_64916/heartbeat.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: wojuferig - {2b5b5c9d-000a-4fb0-aec6-826b3cffbcaa} - No File
STS: {2b5b5c9d-000a-4fb0-aec6-826b3cffbcaa} - No File
LSA: Notification Packages = scecli scecli vafedewe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joanfl~1\applic~1\mozilla\firefox\profiles\xugrv0f2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\all users\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-10 207280]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2007-10-7 15172]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-3 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-3 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-3 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-3 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-10 112592]
R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-30 30152]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-5-12 61328]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-7-17 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-10 358600]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-11-10 18:26:16 1168 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-11-10 16:26:21 883 ----a-w- c:\windows\RegSDImport.xml
2009-11-10 16:26:21 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-10 16:26:21 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-10 16:26:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:26:21 131 ----a-w- c:\windows\IDB.zip
2009-11-10 16:26:20 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:26:20 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26:20 1152470 ----a-w- c:\windows\UDB.zip
2009-11-10 16:21:40 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-10 16:21:40 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-10 16:21:01 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-10 16:21:01 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-10 16:21:01 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-10 16:21:01 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-10 16:20:44 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-10 16:20:44 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-10 16:20:33 0 d-----w- c:\program files\common files\PC Tools
2009-11-10 16:20:33 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-10 16:20:32 0 d-----w- c:\program files\Spyware Doctor
2009-11-10 16:20:32 0 d-----w- c:\docume~1\joanfl~1\applic~1\PC Tools
2009-11-01 13:16:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-11-01 13:14:57 0 d-----w- c:\program files\STOPzilla!
2009-11-01 13:14:56 0 d-----w- c:\program files\common files\iS3
2009-11-01 13:14:56 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-29 15:46:29 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2009-10-29 13:10:41 15360 ----a-w- c:\windows\Copy of TASKMAN.EXE
2009-10-29 12:38:46 0 d-----w- c:\program files\seweke
2009-10-27 16:08:16 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-10-27 16:08:14 402064 ----a-r- c:\windows\system32\SZBase5.dll
2009-10-27 15:59:38 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-10-23 11:56:11 0 d-----w- c:\windows\system32\appmgmt
2009-10-20 19:40:34 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-10-20 19:40:24 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-10-20 19:38:16 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-10-20 19:37:58 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-10-20 19:37:40 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-10-20 19:35:40 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-10-20 19:35:18 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-10-20 19:35:04 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-10-20 19:31:52 729088 ----a-r- c:\windows\system32\IS3Base5.dll
2009-10-15 18:31:28 0 ----a-w- C:\Settings.ini

==================== Find3M ====================

2009-09-25 05:37:11 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 14:00:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 13:31:21.31 ===============

#3 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 10 November 2009 - 01:51 PM

The Attach.txt file...

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/16/2007 3:02:54 PM
System Uptime: 11/10/2009 1:19:45 PM (0 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel® Pentium® M processor 1.73GHz | mFCPGA | 1729/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 72.169 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_FF101179&REV_00\4&1D3F0FBB&0&33F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_8033&SUBSYS_FF101179&REV_00\4&1D3F0FBB&0&33F0
Service:

==== System Restore Points ===================

RP368: 8/11/2009 6:08:08 PM - Spyware Doctor: Cleaning Threats
RP369: 8/12/2009 9:20:33 PM - Software Distribution Service 3.0
RP370: 8/13/2009 6:08:38 PM - Spyware Doctor: Cleaning Threats
RP371: 8/14/2009 7:28:43 PM - Spyware Doctor: Cleaning Threats
RP372: 8/15/2009 6:14:05 PM - Spyware Doctor: Cleaning Threats
RP373: 8/16/2009 6:11:16 PM - Spyware Doctor: Cleaning Threats
RP374: 8/17/2009 7:58:42 PM - Installed Java™ 6 Update 15
RP375: 8/20/2009 8:22:55 AM - System Checkpoint
RP376: 8/21/2009 7:35:15 PM - Spyware Doctor: Cleaning Threats
RP377: 8/21/2009 9:51:24 PM - Software Distribution Service 3.0
RP378: 8/22/2009 9:58:55 AM - Avg8 Update
RP379: 8/22/2009 10:02:09 AM - Avg8 Update
RP380: 8/22/2009 6:09:01 PM - Spyware Doctor: Cleaning Threats
RP381: 8/23/2009 6:10:41 PM - Spyware Doctor: Cleaning Threats
RP382: 8/24/2009 6:09:59 PM - Spyware Doctor: Cleaning Threats
RP383: 8/26/2009 6:09:20 PM - Spyware Doctor: Cleaning Threats
RP384: 8/26/2009 8:36:16 PM - Software Distribution Service 3.0
RP385: 8/27/2009 6:11:18 PM - Spyware Doctor: Cleaning Threats
RP386: 8/28/2009 7:08:57 PM - Spyware Doctor: Cleaning Threats
RP387: 8/30/2009 5:42:02 PM - System Checkpoint
RP388: 8/30/2009 6:11:36 PM - Spyware Doctor: Cleaning Threats
RP389: 8/31/2009 6:09:35 PM - Spyware Doctor: Cleaning Threats
RP390: 9/1/2009 6:09:52 PM - Spyware Doctor: Cleaning Threats
RP391: 9/1/2009 11:07:52 PM - Software Distribution Service 3.0
RP392: 9/3/2009 10:33:25 PM - System Checkpoint
RP393: 9/5/2009 6:07:06 PM - Spyware Doctor: Cleaning Threats
RP394: 9/6/2009 6:10:14 PM - Spyware Doctor: Cleaning Threats
RP395: 9/8/2009 6:13:26 PM - Spyware Doctor: Cleaning Threats
RP396: 9/9/2009 10:03:12 PM - Software Distribution Service 3.0
RP397: 9/10/2009 6:13:20 PM - Spyware Doctor: Cleaning Threats
RP398: 9/12/2009 6:09:31 PM - Spyware Doctor: Cleaning Threats
RP399: 9/14/2009 6:11:32 PM - Spyware Doctor: Cleaning Threats
RP400: 9/16/2009 6:19:50 PM - Spyware Doctor: Cleaning Threats
RP401: 9/17/2009 7:16:03 AM - Installed Windows XP WgaNotify.
RP402: 9/17/2009 6:08:12 PM - Spyware Doctor: Cleaning Threats
RP403: 9/18/2009 7:16:22 PM - Spyware Doctor: Cleaning Threats
RP404: 9/20/2009 6:10:33 PM - Spyware Doctor: Cleaning Threats
RP405: 9/21/2009 6:11:13 PM - Spyware Doctor: Cleaning Threats
RP406: 9/23/2009 9:06:32 AM - Removed Cruise Shark
RP407: 9/23/2009 9:07:14 AM - Installed Cruise Shark
RP408: 9/23/2009 6:07:47 PM - Spyware Doctor: Cleaning Threats
RP409: 9/24/2009 6:15:37 PM - System Checkpoint
RP410: 9/25/2009 8:31:16 PM - System Checkpoint
RP411: 9/27/2009 6:16:04 PM - System Checkpoint
RP412: 9/28/2009 6:12:59 PM - Spyware Doctor: Cleaning Threats
RP413: 9/30/2009 3:55:30 PM - System Checkpoint
RP414: 9/30/2009 6:16:28 PM - Spyware Doctor: Cleaning Threats
RP415: 10/1/2009 6:08:18 PM - Spyware Doctor: Cleaning Threats
RP416: 10/3/2009 8:13:49 AM - System Checkpoint
RP417: 10/3/2009 6:07:51 PM - Spyware Doctor: Cleaning Threats
RP418: 10/4/2009 6:20:25 PM - Spyware Doctor: Cleaning Threats
RP419: 10/5/2009 9:30:51 AM - Avg8 Update
RP420: 10/5/2009 9:33:49 AM - Avg8 Update
RP421: 10/6/2009 6:40:26 PM - Spyware Doctor: Cleaning Threats
RP422: 10/7/2009 9:39:19 AM - Avg8 Update
RP423: 10/7/2009 6:25:41 PM - Spyware Doctor: Cleaning Threats
RP424: 10/9/2009 11:30:51 AM - System Checkpoint
RP425: 10/9/2009 7:49:34 PM - Spyware Doctor: Cleaning Threats
RP426: 10/10/2009 6:08:13 PM - Spyware Doctor: Cleaning Threats
RP427: 10/12/2009 6:19:44 PM - Spyware Doctor: Cleaning Threats
RP428: 10/12/2009 10:09:01 PM - Software Distribution Service 3.0
RP429: 10/15/2009 6:28:17 PM - System Checkpoint
RP430: 10/15/2009 9:57:59 PM - Software Distribution Service 3.0
RP431: 10/16/2009 7:55:07 PM - Spyware Doctor: Cleaning Threats
RP432: 10/17/2009 9:07:18 AM - Avg8 Update
RP433: 10/17/2009 6:09:51 PM - Spyware Doctor: Cleaning Threats
RP434: 10/18/2009 6:11:44 PM - Spyware Doctor: Cleaning Threats
RP435: 10/19/2009 6:18:18 PM - Spyware Doctor: Cleaning Threats
RP436: 10/20/2009 2:07:21 PM - Avg8 Update
RP437: 10/21/2009 6:11:24 PM - Spyware Doctor: Cleaning Threats
RP438: 10/21/2009 6:28:27 PM - Spyware Doctor: Cleaning Threats
RP439: 10/22/2009 6:16:35 PM - Spyware Doctor: Cleaning Threats
RP440: 10/23/2009 7:16:58 PM - System Checkpoint
RP441: 10/23/2009 7:21:06 PM - Spyware Doctor: Cleaning Threats
RP442: 10/23/2009 7:21:27 PM - Spyware Doctor: Cleaning Threats
RP443: 10/26/2009 6:55:55 PM - Spyware Doctor: Cleaning Threats
RP444: 10/27/2009 6:09:14 PM - Spyware Doctor: Cleaning Threats
RP445: 10/28/2009 6:08:21 PM - Spyware Doctor: Cleaning Threats
RP446: 10/29/2009 6:09:32 PM - Spyware Doctor: Cleaning Threats
RP447: 10/22/2009 6:24:12 PM - System Checkpoint
RP448: 10/23/2009 7:55:08 AM - Removed Skype™ 3.8
RP449: 10/31/2009 8:16:59 PM - System Checkpoint
RP450: 11/1/2009 9:14:44 AM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP451: 11/1/2009 9:04:16 PM - Spyware Doctor: Cleaning Threats
RP452: 11/1/2009 10:10:22 PM - Spyware Doctor: Cleaning Threats
RP453: 11/2/2009 7:13:17 PM - Spyware Doctor: Cleaning Threats
RP454: 11/3/2009 9:53:24 AM - Avg8 Update
RP455: 11/3/2009 7:07:54 PM - Spyware Doctor: Cleaning Threats
RP456: 11/4/2009 8:27:24 AM - Software Distribution Service 3.0
RP457: 11/4/2009 5:57:55 PM - Spyware Doctor: Cleaning Threats
RP458: 11/5/2009 7:20:09 PM - Spyware Doctor: Cleaning Threats
RP459: 11/6/2009 10:32:22 AM - Avg8 Update
RP460: 11/6/2009 8:57:13 PM - Spyware Doctor: Cleaning Threats
RP461: 11/7/2009 7:24:09 PM - Spyware Doctor: Cleaning Threats
RP462: 11/8/2009 6:06:17 PM - Spyware Doctor: Cleaning Threats
RP463: 11/9/2009 7:37:40 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Apple Software Update
AVG Free 8.5
Browser Defender 2.0.6.10
Choice Guard
Cruise Shark
DING!
Flickr Uploadr 2.5.0.15
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
HOT ALBUM MYBOX
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
iS3 STOPzilla Toolbar
Java™ 6 Update 15
Java™ 6 Update 3
Java™ 6 Update 5
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.11)
mPfMgr
mPfWiz
mProSafe
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
Nimo Codecs Pack v5.0 (Remove Only)
Photo Transport
Picasa 2
QuickTime
RealPlayer
Sandlot Games Client Services 1.2.2
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
SolveigMM WMP Trimmer Plugin
SoundMAX
Spyware Doctor 7.0
STOPzilla
TOSHIBA Hotkey Utility
TOSHIBA Software Modem
TOSHIBA Utilities
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Verizon Broadband Toolbar
Verizon Help and Support Tool
Verizon Online DSL
Verizon Servicepoint 1.5.12
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
Yapta

==== Event Viewer Messages From Past Week ========

11/9/2009 10:24:58 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
11/7/2009 7:28:53 PM, error: Service Control Manager [7034] - The STOPzilla Service service terminated unexpectedly. It has done this 1 time(s).
11/6/2009 12:06:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
11/6/2009 10:33:29 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.

==== End Of File ===========================

#4 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 10 November 2009 - 01:53 PM

And the results from the RootRepeal program...

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 13:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA197000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B38000 Size: 8192 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf747ae22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf745bcdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf745bece

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf747b610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf747b8c4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf7479b14

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf747bd30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf747b0e2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf745b982

==EOF==

Thanks!

#5 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 10 November 2009 - 04:35 PM

I was able to run a full scan of Malwarebytes and it told me it didn't find anything. I find that hard to believe, given the issues I'm having.

I also ran a full scan using STOPZilla. Unfortunately, there's no way to save the results log. I was able to hover over the results page and copied down the top 3 most serious results and their locations...

Vundo.Q hkus\s-1-5-21-1844237615-842925246-854245398-1003\software\Microsoft\fias4018

Irito6C97-cfa c:\xcrashdump.dat

Seres c:\system volume information\_restore{566fb8d5-ce4e-4342-bf7b-24c70885c870}\rp445\a0174395.exe

.....
Any recommendations on how to remove these would be greatly appreciated.

One more thing - I haven't updated my Internet Explorer on the notebook. I have on my desktop, and can't say I care for it, so had just left IE6 on the notebook. Will updating my browser help at all?

#6 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 11 November 2009 - 11:34 AM

Still waiting for some advice.

Since last post, computer seemed to be ok for a little while last night. Then I decided to try to run Spyware. It launched but froze immediately.

Same problem as before. Computer starts, everything loads, but as soon as I click on anything, it freezes. I can't do a safe boot apparently because I can't shut down normally. The only way to turn it off is to unplug it.

So, today, it is totally useless. I really need to be able to use this machine but can't see how it can be healed if nothing will run!

Please help me!

#7 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 16 November 2009 - 07:30 AM

I've really tried to be paitent, but this was all the way back to page 9 and I saw other much more recent threads that had responses, so at the risk of irritating people, I just have to bump this.

I even sent a message via the Contact Us link yesterday asking if there was any timetable for receiving help and have no response to that at this time.

I'm crying here. Literally. I absolutely HAVE to have my laptop and I haven't even tried turning it on since my last post. I'm paraoid that this desktop will also get infected and then I'll really be screwed. I updated to AVG 9 (free) and update and run Malaware bytes daily, but it is excrutiatingly slow. As I type, I have to stop and wait for the text to catch up. Once we get the laptop healthy (keeping my fingers crossed), I'll ask for help with this machine.

Anyway, I really, really, really need the laptop cured. Could someone/anyone PLEASE help me?

I think the infections may be fatal.

PLEASE HELP ME! Please?

#8 Grinler

Bleep Bleep!

Group: Admin
Posts: 36,174
Joined: 24-January 04
Gender:Male
Location:USA

Posted 16 November 2009 - 04:34 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!

#9 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 17 November 2009 - 09:44 AM

Booted the laptop, everything loads, but when I tried to disable the antivirus (AVG Free 8.5) it freezes, as explained in post #6, so I can't even open IE to get to the ComboFix download.

As also noted in prior posts, I can't boot in safe mode because once the computer freezes, I can't shut down normally. I have to unplug it to turn it off.

OK, I rebooted and without doing anything else, I immediately did a "normal" shut down, so hopefully, if I need to, I can restart in safe mode.

Please let me know how to proceed.

Thanks.

#10 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 17 November 2009 - 10:03 AM

Sorry, but I lied. The normal shutdown did not work. It appeared to be shutting down and then just stopped. Then the mouse and keyboard froze and had to unplug it again.

#11 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 17 November 2009 - 10:48 AM

Right, so I did what I had done on the earlier scans. I downloaded ComboFix not to my laptop desktop (since I couldn't open IE), but to a flash drive, then was able to plug that into the laptop and drag the icon to the laptop's desktop and it is now running. We're at Stage 50. If it doesn't freeze on me when I try to save the log, I'll post it here when it is complete.

#12 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 17 November 2009 - 11:08 AM

OK! Here's the ComboFix log file. Will wait for further instructions and won't touch the laptop for now.

ComboFix 09-11-17.03 - Joan Fletc 11/17/2009 10:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.628 [GMT -5:00]
Running from: c:\documents and settings\Joan Fletc\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\_004753_.tmp.dll
c:\windows\system32\_004754_.tmp.dll
c:\windows\system32\_004755_.tmp.dll
c:\windows\system32\_004756_.tmp.dll
c:\windows\system32\_004763_.tmp.dll
c:\windows\system32\_004764_.tmp.dll
c:\windows\system32\_004765_.tmp.dll
c:\windows\system32\_004766_.tmp.dll
c:\windows\system32\mssfc.dll
c:\windows\system32\sfcfiles.dat
c:\windows\system32\tdlwsp.dll
C:\xcrashdump.dat

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-10 18:32 . 2009-11-10 18:32 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-10 16:26 . 2009-10-08 16:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 16:26 . 2009-10-08 16:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-10 16:26 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2009-11-10 16:26 . 2009-10-08 16:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 16:26 . 2009-10-08 16:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 16:26 . 2009-10-02 19:19 1152470 ----a-w- c:\windows\UDB.zip
2009-11-10 16:21 . 2009-09-24 13:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-10 16:21 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-10 16:21 . 2009-09-23 21:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-10 16:20 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-10 16:20 . 2009-11-10 16:26 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-10 16:20 . 2009-11-10 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-10 16:20 . 2009-11-17 15:31 -------- d-----w- c:\program files\Spyware Doctor
2009-11-10 16:20 . 2009-11-10 16:20 -------- d-----w- c:\documents and settings\Joan Fletc\Application Data\PC Tools
2009-11-10 15:58 . 2009-11-10 15:58 -------- d-----w- c:\documents and settings\Joan Fletc\Local Settings\Application Data\Threat Expert
2009-11-06 14:32 . 2009-10-20 18:05 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-01 13:16 . 2009-11-10 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-11-01 13:14 . 2009-11-01 13:15 -------- d-----w- c:\program files\STOPzilla!
2009-11-01 13:14 . 2009-11-17 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-11-01 13:14 . 2009-11-01 13:14 -------- d-----w- c:\program files\Common Files\iS3
2009-10-29 19:33 . 2009-10-29 19:33 17217008 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe
2009-10-29 15:46 . 2009-10-29 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-10-29 13:10 . 2004-08-04 12:00 15360 ----a-w- c:\windows\Copy of TASKMAN.EXE
2009-10-29 12:38 . 2009-10-29 17:39 -------- d-----w- c:\program files\seweke
2009-10-27 16:08 . 2009-10-27 16:08 545424 ----a-r- c:\windows\system32\SZComp5.dll
2009-10-27 16:08 . 2009-10-27 16:08 402064 ----a-r- c:\windows\system32\SZBase5.dll
2009-10-27 15:59 . 2009-10-27 15:59 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-10-20 19:40 . 2009-10-20 19:40 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-10-20 19:40 . 2009-10-20 19:40 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-10-20 19:38 . 2009-10-20 19:38 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-10-20 19:37 . 2009-10-20 19:37 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-10-20 19:37 . 2009-10-20 19:37 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-10-20 19:35 . 2009-10-20 19:35 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-10-20 19:35 . 2009-10-20 19:35 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-10-20 19:35 . 2009-10-20 19:35 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-10-20 19:31 . 2009-10-20 19:31 729088 ----a-r- c:\windows\system32\IS3Base5.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-17 15:53 . 2008-06-07 14:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-17 14:24 . 2007-07-17 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-29 16:30 . 2008-08-26 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 11:55 . 2008-05-26 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-23 11:53 . 2008-05-26 15:25 -------- d-----w- c:\documents and settings\Joan Fletc\Application Data\skypePM
2009-10-22 11:44 . 2008-12-04 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-14 13:40 . 2007-09-14 02:46 -------- d-----w- c:\program files\Verizon
2009-10-11 22:22 . 2008-10-04 14:43 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-29 22:35 . 2009-09-29 22:35 64000 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-29 22:35 . 2009-09-29 22:35 52288 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-29 22:35 . 2009-09-29 22:35 50688 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-29 22:35 . 2009-09-29 22:35 114688 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-25 18:06 . 2009-09-18 20:30 -------- d-----w- c:\program files\PopCap Games
2009-09-25 18:05 . 2009-09-25 17:16 22 ----a-w- c:\windows\popcinfot.dat
2009-09-25 17:15 . 2009-09-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-25 05:37 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 13:07 . 2009-04-19 12:25 -------- d-----w- c:\program files\Cruise Shark
2009-09-15 15:06 . 2009-09-15 15:06 8406648 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-15 15:05 . 2009-09-15 15:05 10309448 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-11 14:18 . 2009-03-30 22:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2008-08-26 19:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2008-08-26 19:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 14:37 . 2009-09-10 14:37 488968 ----a-w- c:\documents and settings\Joan Fletc\Application Data\Real\Update\setup\setup.exe
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-22 14:00 . 2008-12-04 00:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 14:00 . 2008-12-04 00:04 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-22 14:00 . 2007-07-16 20:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2008-08-07 02:18 . 2008-08-07 02:18 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

c:\windows\system32\sfcfiles.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-08 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-08 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-08 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-14 368640]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"MBBalloon"="c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-04-12 88358]

c:\documents and settings\Joan Fletc\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cruise Shark.lnk - c:\program files\Cruise Shark\CruiseShark.exe [2009-5-14 274944]
MediaChecker.lnk - c:\program files\HOTALBUMMyBOX\MediaChecker.exe [2007-2-13 915096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 14:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/10/2009 11:21 AM 207280]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [10/7/2007 7:31 AM 15172]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/3/2008 7:04 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/3/2008 7:04 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/3/2008 7:03 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2008 7:03 PM 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/10/2009 11:26 AM 112592]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/30/2008 11:13 PM 30152]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [5/12/2009 2:13 PM 61328]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/17/2007 5:05 PM 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/10/2009 11:20 AM 358600]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-17 22:15]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{0362b485-11fe-469c-ae98-42f478e581a0} - c:\program files\Yapta\YaptaSettings.exe
IE: {{0094A600-9BDD-4019-BAFE-487284F7D476} - {C3C07AD6-ACE9-43EE-A2AF-45BC13F6275F} - c:\program files\Yapta\YaptaSidebar.dll
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.shockwave.com/content/goldrush/sis/gamehouseplayer.cab
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
FF - ProfilePath - c:\documents and settings\Joan Fletc\Application Data\Mozilla\Firefox\Profiles\xugrv0f2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
FF - component: c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{7D962AFF-680D-483A-8D04-6B1ACDDF00E8} - (no file)
Toolbar-SITEguard - (no file)
SharedTaskScheduler-{2b5b5c9d-000a-4fb0-aec6-826b3cffbcaa} - (no file)
SSODL-wojuferig-{2b5b5c9d-000a-4fb0-aec6-826b3cffbcaa} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 10:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(968)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-11-17 11:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-17 16:05

Pre-Run: 77,460,717,568 bytes free
Post-Run: 79,200,645,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 99CF1FCBBAA0A8A926D0154BB3814E20

#13 Grinler

Bleep Bleep!

Group: Admin
Posts: 36,174
Joined: 24-January 04
Gender:Male
Location:USA

Posted 18 November 2009 - 04:11 PM

Looks good. Computer running better?

Do you know what this folder is?

c:\program files\seweke

#14 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 18 November 2009 - 04:59 PM

Well, I hadn't touched it since I posted the log. Reading the ComboFix instructions, it mentioned that running it once sometimes cleared everything up, but since I didn't know how to interpret the log, I was afraid perhaps that wasn't the case and I should leave it alone until I heard back from someone.

It appears that the Google search redirect has stopped. That's wonderful!

Remaining issues:

I have no idea what that folder is. There are no files in it. Details say it was modified 10/29/09. Should I delete it?

Should I run HJT and post the log somewhere else? Is that even necessary?

I guess I should update my AVG to 9.0.

Will updating IE from 6.0 to 8.0 help anything, security-wise? I have 8.0 on this desktop and can't say I'm all that thrilled with it.

I may start a thread about this desktop. It is really, really slow. Excrutiatingly slow. Malware bytes is updated and run daily, but nothing is ever found.

Back to the laptop - last question - is running AVG Free (with all the options of the free version active); a Malwarebytes Quick Scan daily and a full scan weekly sufficient? Do I need to download and run Spyware Doctor daily as well? I feel like I spend more time running scans than I do anything else, yet I still get infected. I won't even check my email on the laptop using Outlook or Outlook Express because I thought I was getting infected through email attachments.

Anyway, thanks for the help! It is greatly appreciated! When/if I get a job, I'll make a donation.

#15 smellywalrus

Member

Group: Members
Posts: 24
Joined: 10-November 09

Posted 18 November 2009 - 07:12 PM

I moved my laptop back downstairs (away from the desktop where I had been typing the info). When I booted it, I had no internet connection (although the icon told me I was connected). I did the 'repair' and all seemed fine.

I decided to update Malwarebytes and run a full scan.

It found Rootkit.TDSS

Here's the log for the scan...

Malwarebytes' Anti-Malware 1.41
Database version: 3195
Windows 5.1.2600 Service Pack 3

11/18/2009 7:00:17 PM
mbam-log-2009-11-18 (19-00-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167628
Time elapsed: 52 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\tdlwsp.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

******

Do we need to do anything else to ensure that this really is gone? Is it expected that something like this should still be on here after the ComboFix? I'm just paranoid that there are still nasty things lurking that haven't been found/removed/repaired.

Again, many thanks for the help!