Trojans, Adware and Spyware PLEASE HELP!!

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Trojans, Adware and Spyware PLEASE HELP!! Malware removal- need instructions

#1 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 11 November 2009 - 12:41 AM

Hi, my computer is infected with various trojans and adware. I ran AVG and Malwarebytes, but problems still remain. A virus keeps invading my email and sending links to everyone in my contact list, and the computer is going very slow. I have the DDS files, but RootRepeal will NOT RUN. I have tried to run it 5 times and it won't get past the initializing stage. Thanks for your help!!

DDS (Ver_09-10-26.01) - NTFSx86
Run by Gail at 22:10:46.18 on Tue 11/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.132 [GMT -6:00]

AV: avast! antivirus 4.7.1001 [VPS 000742-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\EarthLink 5.0\updatemgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gail\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.livejournal.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.blazefind.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\windows\downloaded program files\IDXIEController.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: : {83de62e0-5805-11d8-9b25-00e04c60faf2} - c:\windows\2_0_1browserhelper2.dll
BHO: brdg Class: {9c691a33-7dda-4c2f-be4c-c176083f35cf} - c:\windows\system32\bridge.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
TB: My &Search Bar: {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {339BB23F-A864-48C0-A59F-29EA915965EC} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0819.dll
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AIM] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeper.exe /0
uRun: [PopUpWasher] c:\program files\webroot\popupwasher\PopUpWasher.exe
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ConMgr.exe] "c:\program files\earthlink 5.0\ConMgr.exe"
mRun: [UpdateMgr.exe] "c:\program files\earthlink 5.0\updatemgr.exe" /NOCM
mRun: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
mRun: [cQFHQ1ox] c:\progra~1\uotpwvuo\boQDBAAN.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02E641D9-DD62-11D2-8CC7-00104B9C5F24} - hxxp://pc2pc.pcfirst.com/profile.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D76EB71-F632-75E3-529A-0836E1BCB4D8} - hxxp://public.searchbarcash.com/cab/352/qpmytsxh.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {376C54B9-93B3-EF5D-72FF-D2C8448AC6F9} - hxxp://public.searchbarcash.com/cab/026/ckwsfqqk.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {52DCAD2D-D5DD-8EA5-315A-B4FE032A28F9} - hxxp://public.searchbarcash.com/cab/350/anmqsrho.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/15a1b2cd135a700b9100/netzip/RdxIE601.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - hxxps://www.emdat.com/printing/PrinterBvr/setup.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6C49A32B-6730-6C4B-87AF-DBA39448D8AF} - hxxp://public.searchbarcash.com/cab/042/idkwmkty.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
DPF: {75FA17B8-2A69-11D3-8181-00600849097E} - hxxp://pc2pc.pcfirst.com/lancab.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {7F2B67F2-B96D-11D3-88CA-0020188CF76E} - hxxp://pc2pc.pcfirst.com/LANCab.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} - hxxp://public.searchbarcash.com/cab/039/nezqauyr.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.8420717593
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
DPF: {C5ADA8BC-CC22-AB2E-EACB-B829C20A89BD} - hxxp://public.searchbarcash.com/cab/000/hhawusyy.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D61570B1-61E1-6851-CBF7-B7915CBDFA4E} - hxxp://public.searchbarcash.com/cab/002/zqonalph.cab
DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - hxxp://install.serviceurl.de/StarInstall.ocx
DPF: {F7ADCFE3-AA28-F99E-E665-B13AC332D249} - hxxp://public.searchbarcash.com/cab/351/atrwzpca.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gail\applic~1\mozilla\firefox\profiles\5uq7q18q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 WinIK;WinIK;c:\windows\system32\drivers\winik.sys [2005-1-23 14976]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-29 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-29 360584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-3-15 135936]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-29 285392]
R2 WinDriver;WinDriver;c:\windows\system32\drivers\windrvr.sys [2005-2-24 205220]
S2 EraserSvc10730;Symantec Eraser Service;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10621.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10621.sys [?]

=============== Created Last 30 ================

2009-11-09 19:25:20 0 d-----w- c:\docume~1\gail\applic~1\Malwarebytes
2009-11-09 19:24:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:24:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:24:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 19:24:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 06:55:18 47 ----a-w- c:\windows\NeroDigital.ini
2009-10-29 16:11:00 0 d--h--w- C:\$AVG
2009-10-29 16:09:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 16:09:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 16:09:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 16:09:15 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-29 16:09:04 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-29 16:07:26 0 d-----w- c:\program files\AVG
2009-10-29 16:07:15 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 22:23:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2004-03-20 03:18:14 3662787 ----a-w- c:\program files\spybotsd12.exe
2001-09-24 12:59:00 229376 ----a-w- c:\program files\norton kitties
2001-08-18 12:00:00 94784 --sha-w- c:\windows\twain.dll
2004-08-04 07:56:46 50688 --sha-w- c:\windows\twain_32.dll
2004-08-04 07:56:42 1028096 --sha-w- c:\windows\system32\mfc42.dll
2004-08-04 07:56:43 54784 --sha-w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56:43 413696 --sha-w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38:13 550912 --sha-w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56:44 83456 --sha-w- c:\windows\system32\olepro32.dll
2004-08-04 07:56:55 11776 --sha-w- c:\windows\system32\regsvr32.exe

============= FINISH: 22:12:14.25 ===============

Attached File(s)

Attachdds.txt (18.94K)
Number of downloads: 14

#2 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 17 November 2009 - 09:13 AM

Hello ,
And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following

The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
A detailed description of your problems
A new DDS log
GMER log

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 21 November 2009 - 10:32 AM

Thank you for your response. I am still having problems with trojans and spyware/adware. There are various trojans and eventapps running on my machine. They keep sending links to everyone in my email contact list. AVG and Malwarebytes removed some, but not all, of the problems. Below are the new DDS and GMER logs. Thank you!!

DDS (Ver_09-10-26.01) - NTFSx86
Run by Gail at 9:09:25.95 on Sat 11/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.93 [GMT -6:00]

AV: avast! antivirus 4.7.1001 [VPS 000742-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\EarthLink 5.0\updatemgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Gail\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.livejournal.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.blazefind.com
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: IDXHlprObj Class: {31816979-f864-4acf-919f-d0b3b56432e6} - c:\windows\downloaded program files\IDXIEController.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: : {83de62e0-5805-11d8-9b25-00e04c60faf2} - c:\windows\2_0_1browserhelper2.dll
BHO: brdg Class: {9c691a33-7dda-4c2f-be4c-c176083f35cf} - c:\windows\system32\bridge.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} - c:\progra~1\common~1\real\toolbar\realbar.dll
TB: My &Search Bar: {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\MYBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {339BB23F-A864-48C0-A59F-29EA915965EC} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0819.dll
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AIM] c:\program files\aim95\aim.exe -cnetwait.odl
uRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeper.exe /0
uRun: [PopUpWasher] c:\program files\webroot\popupwasher\PopUpWasher.exe
uRun: [Yahoo! Pager] c:\progra~1\yahoo!\messen~1\ypager.exe -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ConMgr.exe] "c:\program files\earthlink 5.0\ConMgr.exe"
mRun: [UpdateMgr.exe] "c:\program files\earthlink 5.0\updatemgr.exe" /NOCM
mRun: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
mRun: [cQFHQ1ox] c:\progra~1\uotpwvuo\boQDBAAN.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02E641D9-DD62-11D2-8CC7-00104B9C5F24} - hxxp://pc2pc.pcfirst.com/profile.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2D76EB71-F632-75E3-529A-0836E1BCB4D8} - hxxp://public.searchbarcash.com/cab/352/qpmytsxh.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {376C54B9-93B3-EF5D-72FF-D2C8448AC6F9} - hxxp://public.searchbarcash.com/cab/026/ckwsfqqk.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {52DCAD2D-D5DD-8EA5-315A-B4FE032A28F9} - hxxp://public.searchbarcash.com/cab/350/anmqsrho.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://207.188.7.150/15a1b2cd135a700b9100/netzip/RdxIE601.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - hxxps://www.emdat.com/printing/PrinterBvr/setup.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6C49A32B-6730-6C4B-87AF-DBA39448D8AF} - hxxp://public.searchbarcash.com/cab/042/idkwmkty.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
DPF: {75FA17B8-2A69-11D3-8181-00600849097E} - hxxp://pc2pc.pcfirst.com/lancab.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {7F2B67F2-B96D-11D3-88CA-0020188CF76E} - hxxp://pc2pc.pcfirst.com/LANCab.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} - hxxp://public.searchbarcash.com/cab/039/nezqauyr.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37856.8420717593
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
DPF: {C5ADA8BC-CC22-AB2E-EACB-B829C20A89BD} - hxxp://public.searchbarcash.com/cab/000/hhawusyy.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D61570B1-61E1-6851-CBF7-B7915CBDFA4E} - hxxp://public.searchbarcash.com/cab/002/zqonalph.cab
DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - hxxp://install.serviceurl.de/StarInstall.ocx
DPF: {F7ADCFE3-AA28-F99E-E665-B13AC332D249} - hxxp://public.searchbarcash.com/cab/351/atrwzpca.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gail\applic~1\mozilla\firefox\profiles\5uq7q18q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 WinIK;WinIK;c:\windows\system32\drivers\winik.sys [2005-1-23 14976]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-29 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-29 360584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-3-15 135936]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-29 285392]
R2 WinDriver;WinDriver;c:\windows\system32\drivers\windrvr.sys [2005-2-24 205220]
S2 EraserSvc10730;Symantec Eraser Service;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10621.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10621.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-11-11 03:49:51 4194478 ----a-w- c:\windows\pfirewall.log.old
2009-11-09 19:25:20 0 d-----w- c:\docume~1\gail\applic~1\Malwarebytes
2009-11-09 19:24:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:24:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:24:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-09 19:24:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 06:55:18 47 ----a-w- c:\windows\NeroDigital.ini
2009-10-29 16:11:00 0 d--h--w- C:\$AVG
2009-10-29 16:09:43 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 16:09:41 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 16:09:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 16:09:15 0 d-----w- c:\windows\system32\drivers\Avg
2009-10-29 16:09:04 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-29 16:07:26 0 d-----w- c:\program files\AVG
2009-10-29 16:07:15 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-03-20 03:18:14 3662787 ----a-w- c:\program files\spybotsd12.exe
2001-09-24 12:59:00 229376 ----a-w- c:\program files\norton kitties
2001-08-18 12:00:00 94784 --sha-w- c:\windows\twain.dll
2004-08-04 07:56:46 50688 --sha-w- c:\windows\twain_32.dll
2004-08-04 07:56:42 1028096 --sha-w- c:\windows\system32\mfc42.dll
2004-08-04 07:56:43 54784 --sha-w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56:43 413696 --sha-w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38:13 550912 --sha-w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56:44 83456 --sha-w- c:\windows\system32\olepro32.dll
2004-08-04 07:56:55 11776 --sha-w- c:\windows\system32\regsvr32.exe

============= FINISH: 9:10:40.01 ===============

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-21 09:23:18
Windows 5.1.2600 Service Pack 2
Running: wmij0pp6.exe; Driver: C:\DOCUME~1\Gail\LOCALS~1\Temp\uxldipob.sys

---- System - GMER 1.0.15 ----

SSDT WinIK.sys ZwDeleteKey [0xF8A09A32]
SSDT WinIK.sys ZwDeleteValueKey [0xF8A09A7C]
SSDT WinIK.sys ZwEnumerateKey [0xF8A09BFC]
SSDT WinIK.sys ZwEnumerateValueKey [0xF8A09C0A]
SSDT WinIK.sys ZwSetValueKey [0xF8A09B2E]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\WinIK.sys Access is denied.

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs WinIK.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

Attached File(s)

Attachdds.txt (17.79K)
Number of downloads: 13

#4 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 21 November 2009 - 11:07 AM

Hello popfonacs,

UNINSTALL PROGRAMS
--------------------------------
Go to Start > Control Panel > Add or Remove Programs.

Remove the following programs, if they are present.

My Search Bar
My Web Search Bar
Viewpoint Media Player

If you are unsure of how to use Add or Remove Programs, then please see this tutorial:
How To Remove An Installed Program From Your Computer

COMBOFIX
---------------
Please download ComboFix from one of these locations:

Bleepingcomputer

ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please include the following:
Combofix.txt

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 21 November 2009 - 03:17 PM

Elise,

I was not able to remove the 'My WebSearch Bar' in add/remove programs. When I try, it says 'specified module could not be found'. Below is the Combofix log:

ComboFix 09-11-20.05 - Gail 11/21/2009 13:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.95 [GMT -6:00]
Running from: c:\documents and settings\Gail\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\e2g
c:\program files\e2g\data.new
c:\program files\FunWebProducts
c:\program files\FunWebProducts\PopSwatr\History\allowed
c:\program files\FunWebProducts\PopSwatr\History\notallow
c:\program files\FunWebProducts\Shared\Cache\CheckersAIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\ChessAIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\EnableDisableAIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\NoSettingAIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\ReversiAIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\Cache\02592407.bin
c:\program files\MyWebSearch\bar\Cache\02592753.bin
c:\program files\MyWebSearch\bar\Cache\02592A7F.bin
c:\program files\MyWebSearch\bar\Cache\025E5262.bin
c:\program files\MyWebSearch\bar\Cache\025E5BD8.bin
c:\program files\MyWebSearch\bar\Cache\025E5F04.bin
c:\program files\MyWebSearch\bar\Cache\025E60E9.bin
c:\program files\MyWebSearch\bar\Cache\025E63C7.bin
c:\program files\MyWebSearch\bar\Cache\025E65BB.bin
c:\program files\MyWebSearch\bar\Cache\025E6945.bin
c:\program files\MyWebSearch\bar\Cache\025E6E37.bin
c:\program files\MyWebSearch\bar\Cache\02923306
c:\program files\MyWebSearch\bar\Cache\067D5F76.bin
c:\program files\MyWebSearch\bar\Cache\2B3AB5F1.bin
c:\program files\MyWebSearch\bar\Cache\2E6D3D86
c:\program files\MyWebSearch\bar\Cache\3E350617.bin
c:\program files\MyWebSearch\bar\Cache\3E350905.bin
c:\program files\MyWebSearch\bar\Cache\3E350D2B.bin
c:\program files\MyWebSearch\bar\Cache\4E00119F.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search
c:\program files\MyWebSearch\bar\Settings\prevcfg.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\patch.exe
c:\windows\system32\mspr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC
-------\Legacy_WINDRIVER
-------\Service_WinDriver

((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-20 15:09 . 2009-10-29 16:07 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-12 17:05 . 2009-11-09 18:18 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 17:05 . 2009-11-09 18:18 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 17:05 . 2009-11-09 18:17 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 17:05 . 2009-10-29 16:08 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 17:04 . 2009-11-12 17:02 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 17:04 . 2009-11-12 17:02 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 19:25 . 2009-11-09 19:25 -------- d-----w- c:\documents and settings\Gail\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:24 . 2009-11-09 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:24 . 2009-11-09 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 18:19 . 2009-10-29 16:09 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 18:12 . 2009-11-09 18:12 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 18:12 . 2009-10-29 16:07 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-04 18:47 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 23:20 . 2009-11-21 19:24 0 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\prvlcl.dat
2009-10-29 16:12 . 2009-10-29 16:12 -------- d-----w- c:\documents and settings\Gail\Local Settings\Application Data\AVG Security Toolbar
2009-10-29 16:11 . 2009-10-29 16:32 -------- d-----w- C:\$AVG
2009-10-29 16:09 . 2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 16:09 . 2009-11-09 18:17 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 16:09 . 2009-10-29 16:09 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 16:09 . 2009-10-29 16:09 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 16:09 . 2009-11-21 15:41 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-29 16:09 . 2009-11-04 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-29 16:07 . 2009-10-29 16:07 -------- d-----w- c:\program files\AVG
2009-10-29 16:07 . 2009-11-20 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 19:57 . 2009-02-14 00:47 78016 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 19:19 . 2004-02-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-20 07:56 . 2007-07-02 02:19 -------- d-----w- c:\documents and settings\Gail\Application Data\U3
2009-11-10 21:57 . 2009-02-02 00:07 -------- d-----w- c:\program files\Norton Internet Security
2009-11-10 04:16 . 2009-01-21 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-10 03:46 . 2002-05-03 23:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-10 03:45 . 2002-05-03 23:33 -------- d-----w- c:\program files\Symantec
2009-11-10 03:43 . 2004-12-20 23:03 -------- d-----w- c:\program files\Soulseek
2009-09-29 01:44 . 2004-01-08 21:36 -------- d-----w- c:\documents and settings\Gail\Application Data\Aim
2009-09-29 01:29 . 2004-01-09 13:31 -------- d-----w- c:\documents and settings\alicia\Application Data\Aim
2009-09-23 02:10 . 2009-09-23 02:10 -------- d-----w- c:\program files\Emdat
2009-09-11 14:33 . 2002-05-21 08:34 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2002-05-21 08:34 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-06-23 17:33 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-05-21 08:33 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2003-08-24 03:25 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-03-20 03:18 . 2004-03-20 03:17 3662787 ----a-w- c:\program files\spybotsd12.exe
2001-09-24 12:59 . 2004-02-06 00:22 229376 ----a-w- c:\program files\norton kitties
2001-08-18 12:00 . 2002-05-21 08:35 94784 --sha-w- c:\windows\twain.dll
2004-08-04 07:56 . 2002-05-21 08:35 50688 --sha-w- c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-05-21 08:34 1028096 --sha-w- c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-05-21 08:34 54784 --sha-w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2003-08-24 03:24 413696 --sha-w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38 . 2002-05-21 08:35 550912 --sha-w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-05-21 08:35 83456 --sha-w- c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-05-21 08:35 11776 --sha-w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="c:\program files\AIM95\aim.exe" [2004-04-27 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConMgr.exe"="c:\program files\EarthLink 5.0\ConMgr.exe" [2002-01-04 290816]
"UpdateMgr.exe"="c:\program files\EarthLink 5.0\updatemgr.exe" [2002-01-04 61440]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 180269]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 148888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-03 100032]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2006-3-12 65588]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-9-11 217088]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-3 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iMesh.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\iMesh.lnk
backup=c:\windows\pss\iMesh.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=c:\windows\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 WinIK;WinIK;c:\windows\system32\drivers\winik.sys [1/23/2005 3:55 PM 14976]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/29/2009 10:09 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/29/2009 10:09 AM 360584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/15/2007 10:31 AM 135936]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/29/2009 10:07 AM 285392]
S2 EraserSvc10730;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.blazefind.com
IE: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {02E641D9-DD62-11D2-8CC7-00104B9C5F24} - hxxp://pc2pc.pcfirst.com/profile.cab
DPF: {376C54B9-93B3-EF5D-72FF-D2C8448AC6F9} - hxxp://public.searchbarcash.com/cab/026/ckwsfqqk.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - hxxps://www.emdat.com/printing/PrinterBvr/setup.cab
DPF: {6C49A32B-6730-6C4B-87AF-DBA39448D8AF} - hxxp://public.searchbarcash.com/cab/042/idkwmkty.cab
DPF: {75FA17B8-2A69-11D3-8181-00600849097E} - hxxp://pc2pc.pcfirst.com/lancab.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {7F2B67F2-B96D-11D3-88CA-0020188CF76E} - hxxp://pc2pc.pcfirst.com/LANCab.cab
DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} - hxxp://public.searchbarcash.com/cab/039/nezqauyr.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
DPF: {C5ADA8BC-CC22-AB2E-EACB-B829C20A89BD} - hxxp://public.searchbarcash.com/cab/000/hhawusyy.cab
FF - ProfilePath - c:\documents and settings\Gail\Application Data\Mozilla\Firefox\Profiles\5uq7q18q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
HKCU-Run-PopUpWasher - c:\program files\Webroot\PopUpWasher\PopUpWasher.exe
HKCU-Run-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe
HKLM-Run-cQFHQ1ox - c:\progra~1\uotpwvuo\boQDBAAN.exe
AddRemove-DyFuCA Software Installer - c:\program files\Internet Optimizer\install.exe
AddRemove-Internet Optimizer Software Installer - c:\program files\Internet Optimizer\install.exe
AddRemove-Windows SR 2.0 - c:\windows\UnstSA2.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3152)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\nvsvc32.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\mrtMngr.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-11-21 14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-21 20:05

Pre-Run: 48,483,368,960 bytes free
Post-Run: 48,511,844,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - A8C865F51F4000DD41F92C21CFC9B084

This post has been edited by popfonacs: 21 November 2009 - 03:17 PM

#6 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 21 November 2009 - 03:42 PM

Hello popfonacs,

CF-SCRIPT
-------------
We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://www.blazefind.com
IE: &Search - [url="http://bar.mywebsearch.com/menusearch.html?p=ZS"]http://bar.mywebsearch.com/menusearch.html?p=ZS[/url]
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
Trusted Zone: emdat.com
Trusted Zone: mytranscriptions.com
DPF: {02E641D9-DD62-11D2-8CC7-00104B9C5F24} - hxxp://pc2pc.pcfirst.com/profile.cab
DPF: {376C54B9-93B3-EF5D-72FF-D2C8448AC6F9} - hxxp://public.searchbarcash.com/cab/026/ckwsfqqk.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - hxxps://www.emdat.com/printing/PrinterBvr/setup.cab
DPF: {6C49A32B-6730-6C4B-87AF-DBA39448D8AF} - hxxp://public.searchbarcash.com/cab/042/idkwmkty.cab
DPF: {75FA17B8-2A69-11D3-8181-00600849097E} - hxxp://pc2pc.pcfirst.com/lancab.cab
DPF: {7F2B67F2-B96D-11D3-88CA-0020188CF76E} - hxxp://pc2pc.pcfirst.com/LANCab.cab
DPF: {9C4D9BFD-8964-FFC3-DAAE-FA8FDD6CE14B} - hxxp://public.searchbarcash.com/cab/039/nezqauyr.cab
DPF: {C5ADA8BC-CC22-AB2E-EACB-B829C20A89BD} - hxxp://public.searchbarcash.com/cab/000/hhawusyy.cab

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

After doing this, please start Malwarebytes Antimalware, update it first and run a full scan.

In your next reply, please include the following:
Combofix.txt
MBAM log

This post has been edited by elise025: 21 November 2009 - 03:42 PM

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#7 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 22 November 2009 - 01:19 AM

Elise: here are the log files you requested. Thank you!

ComboFix 09-11-20.05 - Gail 11/21/2009 15:50.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.204 [GMT -6:00]
Running from: c:\documents and settings\Gail\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gail\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-21 to 2009-11-21 )))))))))))))))))))))))))))))))
.

2009-11-20 15:09 . 2009-10-29 16:07 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-12 17:05 . 2009-11-09 18:18 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 17:05 . 2009-11-09 18:18 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 17:05 . 2009-11-09 18:17 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 17:05 . 2009-10-29 16:08 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 17:04 . 2009-11-12 17:02 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 17:04 . 2009-11-12 17:02 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 19:25 . 2009-11-09 19:25 -------- d-----w- c:\documents and settings\Gail\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:24 . 2009-11-09 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:24 . 2009-11-09 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 18:19 . 2009-10-29 16:09 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 18:12 . 2009-11-09 18:12 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 18:12 . 2009-10-29 16:07 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-04 18:47 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 23:20 . 2009-11-21 21:24 0 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\prvlcl.dat
2009-10-29 16:12 . 2009-10-29 16:12 -------- d-----w- c:\documents and settings\Gail\Local Settings\Application Data\AVG Security Toolbar
2009-10-29 16:11 . 2009-10-29 16:32 -------- d-----w- C:\$AVG
2009-10-29 16:09 . 2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 16:09 . 2009-11-09 18:17 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 16:09 . 2009-10-29 16:09 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 16:09 . 2009-10-29 16:09 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 16:09 . 2009-11-21 15:41 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-29 16:09 . 2009-11-04 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-29 16:07 . 2009-10-29 16:07 -------- d-----w- c:\program files\AVG
2009-10-29 16:07 . 2009-11-20 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 19:57 . 2009-02-14 00:47 78016 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 19:19 . 2004-02-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-20 07:56 . 2007-07-02 02:19 -------- d-----w- c:\documents and settings\Gail\Application Data\U3
2009-11-10 21:57 . 2009-02-02 00:07 -------- d-----w- c:\program files\Norton Internet Security
2009-11-10 04:16 . 2009-01-21 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-10 03:46 . 2002-05-03 23:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-10 03:45 . 2002-05-03 23:33 -------- d-----w- c:\program files\Symantec
2009-11-10 03:43 . 2004-12-20 23:03 -------- d-----w- c:\program files\Soulseek
2009-09-29 01:44 . 2004-01-08 21:36 -------- d-----w- c:\documents and settings\Gail\Application Data\Aim
2009-09-29 01:29 . 2004-01-09 13:31 -------- d-----w- c:\documents and settings\alicia\Application Data\Aim
2009-09-23 02:10 . 2009-09-23 02:10 -------- d-----w- c:\program files\Emdat
2009-09-11 14:33 . 2002-05-21 08:34 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2002-05-21 08:34 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-06-23 17:33 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-05-21 08:33 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2003-08-24 03:25 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-03-20 03:18 . 2004-03-20 03:17 3662787 ----a-w- c:\program files\spybotsd12.exe
2001-09-24 12:59 . 2004-02-06 00:22 229376 ----a-w- c:\program files\norton kitties
2001-08-18 12:00 . 2002-05-21 08:35 94784 --sha-w- c:\windows\twain.dll
2004-08-04 07:56 . 2002-05-21 08:35 50688 --sha-w- c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-05-21 08:34 1028096 --sha-w- c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-05-21 08:34 54784 --sha-w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2003-08-24 03:24 413696 --sha-w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38 . 2002-05-21 08:35 550912 --sha-w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-05-21 08:35 83456 --sha-w- c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-05-21 08:35 11776 --sha-w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-21_19.56.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-21 21:44 . 2009-11-21 21:44 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="c:\program files\AIM95\aim.exe" [2004-04-27 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConMgr.exe"="c:\program files\EarthLink 5.0\ConMgr.exe" [2002-01-04 290816]
"UpdateMgr.exe"="c:\program files\EarthLink 5.0\updatemgr.exe" [2002-01-04 61440]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 36864]
"cQFHQ1ox"="c:\progra~1\uotpwvuo\boQDBAAN.exe" [BU]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 180269]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 148888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-03 100032]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2006-3-12 65588]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-9-11 217088]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-3 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iMesh.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\iMesh.lnk
backup=c:\windows\pss\iMesh.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=c:\windows\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 WinIK;WinIK;c:\windows\system32\drivers\winik.sys [1/23/2005 3:55 PM 14976]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/29/2009 10:09 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/29/2009 10:09 AM 360584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/15/2007 10:31 AM 135936]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/29/2009 10:07 AM 285392]
S2 EraserSvc10730;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.blazefind.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
FF - ProfilePath - c:\documents and settings\Gail\Application Data\Mozilla\Firefox\Profiles\5uq7q18q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3120)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-21 16:11
ComboFix-quarantined-files.txt 2009-11-21 22:11
ComboFix2.txt 2009-11-21 20:05

Pre-Run: 48,520,736,768 bytes free
Post-Run: 48,483,590,144 bytes free

- - End Of File - - 218FAF777A74726420B6D8CDBC03D3DC

Malwarebytes' Anti-Malware 1.41
Database version: 3212
Windows 5.1.2600 Service Pack 2

11/22/2009 12:15:08 AM
mbam-log-2009-11-22 (00-14-51).txt

Scan type: Full Scan (C:\|D:\|G:\|H:\|)
Objects scanned: 240128
Time elapsed: 1 hour(s), 11 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinIK (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 22 November 2009 - 05:53 AM

Hello popfonacs,

Did you remove all threads found by MBAM?

We have a real antique rootkit here that needs to go. Apparently its too old for any tool to pick up, so we need to execute another script.

CF-SCRIPT
-------------
We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Driver::
WinIK

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83de62e0-5805-11d8-9b25-00e04c60faf2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.google.com/ie"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cQFHQ1ox"=-

File::
c:\windows\system32\drivers\winik.sys
c:\windows\2_0_1browserhelper2.dll
c:\windows\system32\bridge.dll

Folder::
c:\progra~1\uotpwvuo

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
Combofix.txt

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#9 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 22 November 2009 - 05:48 PM

MBAM said it was not able to remove all threads...below is the new Combofix.txt. Thanks!

ComboFix 09-11-20.05 - Gail 11/22/2009 16:18.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.180 [GMT -6:00]
Running from: c:\documents and settings\Gail\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gail\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\2_0_1browserhelper2.dll"
"c:\windows\system32\bridge.dll"
"c:\windows\system32\drivers\winik.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\uotpwvuo
c:\progra~1\uotpwvuo\boQDBAAN.dll
c:\progra~1\uotpwvuo\cnml.exe
c:\progra~1\uotpwvuo\NAABDQob.exe
c:\progra~1\uotpwvuo\profile.dat
c:\windows\system32\drivers\winik.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINIK
-------\Service_WinIK

((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-20 15:09 . 2009-10-29 16:07 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-12 17:05 . 2009-11-09 18:18 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 17:05 . 2009-11-09 18:18 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 17:05 . 2009-11-09 18:17 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 17:05 . 2009-10-29 16:08 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 17:04 . 2009-11-12 17:02 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 17:04 . 2009-11-12 17:02 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 19:25 . 2009-11-09 19:25 -------- d-----w- c:\documents and settings\Gail\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:24 . 2009-11-09 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:24 . 2009-11-09 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 18:19 . 2009-10-29 16:09 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 18:12 . 2009-11-09 18:12 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 18:12 . 2009-10-29 16:07 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-04 18:47 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 23:20 . 2009-11-22 18:24 0 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\prvlcl.dat
2009-10-29 16:12 . 2009-10-29 16:12 -------- d-----w- c:\documents and settings\Gail\Local Settings\Application Data\AVG Security Toolbar
2009-10-29 16:11 . 2009-10-29 16:32 -------- d-----w- C:\$AVG
2009-10-29 16:09 . 2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 16:09 . 2009-11-09 18:17 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 16:09 . 2009-10-29 16:09 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 16:09 . 2009-10-29 16:09 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 16:09 . 2009-11-22 14:55 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-29 16:09 . 2009-11-04 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-29 16:07 . 2009-10-29 16:07 -------- d-----w- c:\program files\AVG
2009-10-29 16:07 . 2009-11-20 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 19:57 . 2009-02-14 00:47 78016 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 19:19 . 2004-02-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-20 07:56 . 2007-07-02 02:19 -------- d-----w- c:\documents and settings\Gail\Application Data\U3
2009-11-10 21:57 . 2009-02-02 00:07 -------- d-----w- c:\program files\Norton Internet Security
2009-11-10 04:16 . 2009-01-21 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-10 03:46 . 2002-05-03 23:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-10 03:45 . 2002-05-03 23:33 -------- d-----w- c:\program files\Symantec
2009-11-10 03:43 . 2004-12-20 23:03 -------- d-----w- c:\program files\Soulseek
2009-09-29 01:44 . 2004-01-08 21:36 -------- d-----w- c:\documents and settings\Gail\Application Data\Aim
2009-09-29 01:29 . 2004-01-09 13:31 -------- d-----w- c:\documents and settings\alicia\Application Data\Aim
2009-09-11 14:33 . 2002-05-21 08:34 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2002-05-21 08:34 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-06-23 17:33 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-05-21 08:33 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2003-08-24 03:25 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-03-20 03:18 . 2004-03-20 03:17 3662787 ----a-w- c:\program files\spybotsd12.exe
2001-09-24 12:59 . 2004-02-06 00:22 229376 ----a-w- c:\program files\norton kitties
2001-08-18 12:00 . 2002-05-21 08:35 94784 --sha-w- c:\windows\twain.dll
2004-08-04 07:56 . 2002-05-21 08:35 50688 --sha-w- c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-05-21 08:34 1028096 --sha-w- c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-05-21 08:34 54784 --sha-w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2003-08-24 03:24 413696 --sha-w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38 . 2002-05-21 08:35 550912 --sha-w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-05-21 08:35 83456 --sha-w- c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-05-21 08:35 11776 --sha-w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-21_19.56.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-22 22:33 . 2009-11-22 22:33 16384 c:\windows\Temp\Perflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="c:\program files\AIM95\aim.exe" [2004-04-27 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConMgr.exe"="c:\program files\EarthLink 5.0\ConMgr.exe" [2002-01-04 290816]
"UpdateMgr.exe"="c:\program files\EarthLink 5.0\updatemgr.exe" [2002-01-04 61440]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 180269]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 148888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-03 100032]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2006-3-12 65588]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-9-11 217088]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-3 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iMesh.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\iMesh.lnk
backup=c:\windows\pss\iMesh.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=c:\windows\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/29/2009 10:09 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/29/2009 10:09 AM 360584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/15/2007 10:31 AM 135936]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/29/2009 10:07 AM 285392]
S2 EraserSvc10730;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.blazefind.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
FF - ProfilePath - c:\documents and settings\Gail\Application Data\Mozilla\Firefox\Profiles\5uq7q18q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 16:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3696)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\mrtMngr.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
.
**************************************************************************
.
Completion time: 2009-11-22 16:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-22 22:41
ComboFix2.txt 2009-11-21 20:05

Pre-Run: 48,503,992,320 bytes free
Post-Run: 48,478,605,312 bytes free

- - End Of File - - D36041A4D03BCEA81144A7A3795485BB

#10 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 23 November 2009 - 03:21 AM

Hello again,

Can you please list the files MBAM cannot remove (if you don't know anymore, please re-run mbam full scan, make sure you update it first).

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#11 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 23 November 2009 - 06:58 AM

Hello,

MBAM had said it found 6 infections and could not delete them all. But I updated and scanned again and this time it only found 3 infections and said it deleted all of them. the infections it deleted were:

Files Infected:
C:\Qoobox\Quarantine\C\Program Files\uotpwvuo\boQDBAAN.dll.vir (Adware.CommonName) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\uotpwvuo\cnml.exe.vir (Adware.CommonName) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\uotpwvuo\NAABDQob.exe.vir (Adware.CommonName) -> Quarantined and deleted successfully.

#12 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 23 November 2009 - 07:02 AM

Hello popfonacs,

Looks good

How are things running now? Still one detail to take care of in the logs.

CF-SCRIPT
-------------
We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.google.com/ie"

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

This post has been edited by elise025: 23 November 2009 - 07:11 AM

regards, Elise

"The mind is its own place, and in itself can make a heaven of hell, a hell of heaven." ~ John Milton

Follow BleepingComputer on: Facebook | Twitter | Google+

#13 popfonacs

Member

Group: Members
Posts: 30
Joined: 10-November 09

Posted 23 November 2009 - 09:39 AM

Everything seems to be running better. Here is the new combofix log:

ComboFix 09-11-20.05 - Gail 11/23/2009 8:19.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.257 [GMT -6:00]
Running from: c:\documents and settings\Gail\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gail\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-20 15:09 . 2009-10-29 16:07 877848 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-12 17:05 . 2009-11-09 18:18 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 17:05 . 2009-11-09 18:18 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 17:05 . 2009-11-09 18:17 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 17:05 . 2009-10-29 16:08 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 17:04 . 2009-11-12 17:02 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 17:04 . 2009-11-12 17:02 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 19:25 . 2009-11-09 19:25 -------- d-----w- c:\documents and settings\Gail\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-09 19:24 . 2009-11-09 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-09 19:24 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 19:24 . 2009-11-09 19:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 18:19 . 2009-10-29 16:09 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 18:12 . 2009-11-09 18:12 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 18:12 . 2009-10-29 16:07 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-04 18:47 . 2009-10-16 17:12 1119488 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 23:20 . 2009-11-23 12:24 0 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\prvlcl.dat
2009-10-29 16:12 . 2009-10-29 16:12 -------- d-----w- c:\documents and settings\Gail\Local Settings\Application Data\AVG Security Toolbar
2009-10-29 16:11 . 2009-10-29 16:32 -------- d-----w- C:\$AVG
2009-10-29 16:09 . 2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 16:09 . 2009-11-09 18:17 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 16:09 . 2009-10-29 16:09 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 16:09 . 2009-10-29 16:09 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 16:09 . 2009-11-23 14:16 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-29 16:09 . 2009-11-04 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-29 16:07 . 2009-10-29 16:07 -------- d-----w- c:\program files\AVG
2009-10-29 16:07 . 2009-11-20 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 19:57 . 2009-02-14 00:47 78016 ----a-w- c:\documents and settings\Gail\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 19:19 . 2004-02-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-20 07:56 . 2007-07-02 02:19 -------- d-----w- c:\documents and settings\Gail\Application Data\U3
2009-11-10 21:57 . 2009-02-02 00:07 -------- d-----w- c:\program files\Norton Internet Security
2009-11-10 04:16 . 2009-01-21 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-10 03:46 . 2002-05-03 23:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-10 03:45 . 2002-05-03 23:33 -------- d-----w- c:\program files\Symantec
2009-11-10 03:43 . 2004-12-20 23:03 -------- d-----w- c:\program files\Soulseek
2009-09-29 01:44 . 2004-01-08 21:36 -------- d-----w- c:\documents and settings\Gail\Application Data\Aim
2009-09-29 01:29 . 2004-01-09 13:31 -------- d-----w- c:\documents and settings\alicia\Application Data\Aim
2009-09-11 14:33 . 2002-05-21 08:34 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2002-05-21 08:34 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-06-23 17:33 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-05-21 08:33 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2003-08-24 03:25 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-03-20 03:18 . 2004-03-20 03:17 3662787 ----a-w- c:\program files\spybotsd12.exe
2001-09-24 12:59 . 2004-02-06 00:22 229376 ----a-w- c:\program files\norton kitties
2001-08-18 12:00 . 2002-05-21 08:35 94784 --sha-w- c:\windows\twain.dll
2004-08-04 07:56 . 2002-05-21 08:35 50688 --sha-w- c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-05-21 08:34 1028096 --sha-w- c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-05-21 08:34 54784 --sha-w- c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2003-08-24 03:24 413696 --sha-w- c:\windows\system32\msvcp60.dll
2007-12-04 18:38 . 2002-05-21 08:35 550912 --sha-w- c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-05-21 08:35 83456 --sha-w- c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-05-21 08:35 11776 --sha-w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-21_19.56.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-23 11:52 . 2009-11-23 11:52 16384 c:\windows\Temp\Perflib_Perfdata_4dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="c:\program files\AIM95\aim.exe" [2004-04-27 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConMgr.exe"="c:\program files\EarthLink 5.0\ConMgr.exe" [2002-01-04 290816]
"UpdateMgr.exe"="c:\program files\EarthLink 5.0\updatemgr.exe" [2002-01-04 61440]
"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-13 36864]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 180269]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 148888]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2006-09-03 100032]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2006-3-12 65588]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-9-11 217088]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-3 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-29 16:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 7.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 7.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^iMesh.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\iMesh.lnk
backup=c:\windows\pss\iMesh.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Semagic.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Semagic.lnk
backup=c:\windows\pss\Semagic.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/29/2009 10:09 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/29/2009 10:09 AM 360584]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/15/2007 10:31 AM 135936]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/29/2009 10:07 AM 285392]
S2 EraserSvc10730;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.blazefind.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} - hxxp://xpupload.hpphoto.com/downloads/DownloadPhotos.cab
DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab
FF - ProfilePath - c:\documents and settings\Gail\Application Data\Mozilla\Firefox\Profiles\5uq7q18q.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 08:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1920)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-23 08:34
ComboFix-quarantined-files.txt 2009-11-23 14:34
ComboFix2.txt 2009-11-21 20:05

Pre-Run: 48,542,408,704 bytes free
Post-Run: 48,503,394,304 bytes free

- - End Of File - - D13839D4D47A94AE389E325C58B5EF33

#14 elise025

Bleepin' Blonde

Group: Malware Study Hall Admin
Posts: 36,073
Joined: 05-October 07
Gender:Female
Location:Romania

Posted 23 November 2009 - 10:41 AM

Hello popfonacs,

UPDATE JAVA
------------------
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
Click the Download button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u15-windows-i586.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Note - when ESET doesn't find any threats, no report will be created.
Push the button.
Push