Jump/Re-Direct virus or malware

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Jump/Re-Direct virus or malware do not know how to remove

#1 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 03 November 2011 - 09:48 PM

I am experiencing issues with being re-directed after clicking on search results using the google web browser. I have followed the preparation guide up til step 8. I will post the dds log requested.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Auser at 21:14:34 on 2011-11-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.522 [GMT -5:00]
.
AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira AntiVir PersonalEdition *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\71119859:214745851.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\auser\startm~1\programs\startup\openoffice.org 3.0.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee security scan plus.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickbooks update agent.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{45786F90-4C13-425F-96E0-9341DC67C610} : DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{9B0F5449-1879-4EE5-A941-38E1C1A78BAB} : DhcpNameServer = 192.168.0.1 205.171.3.25
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\auser\application data\mozilla\firefox\profiles\owh448aq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-29 11608]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\adobe\elements 10 organizer\PhotoshopElementsFileAgent.exe [2011-9-1 163828]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-30 163820]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-10-26 240648]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
S2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-29 68865]
S2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-29 151297]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
S3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-29 52056]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-7-28 18560]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-11-04 01:43:43 -------- d-----w- c:\windows\system32\KB905474
2011-10-26 11:04:35 -------- d-----w- c:\documents and settings\auser\application data\Sammsoft
2011-10-26 05:41:09 -------- d--h--w- C:\$AVG
2011-10-26 05:08:39 -------- d-----w- c:\documents and settings\auser\application data\AVG2012
2011-10-26 05:01:44 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-10-26 05:01:43 -------- d-----w- c:\program files\AVG Secure Search
2011-10-26 05:01:03 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-26 05:01:03 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-10-26 05:00:43 -------- d-----w- c:\program files\AVG
2011-10-26 04:18:20 48016 --sha-w- c:\windows\system32\c_62654.nl_
2011-10-26 04:07:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-26 02:27:04 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-26 02:18:31 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-26 02:08:05 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-26 02:00:55 -------- d-----w- c:\documents and settings\auser\application data\Malwarebytes
2011-10-26 01:55:43 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-26 01:55:43 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-26 01:55:03 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-10-26 00:26:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
2011-10-26 00:19:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-25 18:16:10 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-10-25 10:41:30 -------- d-----w- c:\documents and settings\all users\application data\Avira(2)
2011-10-25 01:00:36 -------- d-sh--w- c:\documents and settings\auser\local settings\application data\f3333d04
2011-10-08 03:38:07 -------- d-----w- c:\documents and settings\auser\Adobe Photoshop Elements 10
2011-10-08 03:37:25 -------- d-----w- c:\documents and settings\auser\application data\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-10-08 03:37:18 -------- d-----w- c:\program files\Adobe Download Assistant
.
==================== Find3M ====================
.
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 21:15:22.67 ===============

When I attempt to run the gmer scan the gmer scan closes prior to obtaining the log. For this, i need an alternate solution to providing the gmer log.

Attached File(s)

attach.txt (14.3K)
Number of downloads: 2

#2 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 05 November 2011 - 08:13 AM

i ran the gmer scan in safe mode here are the results...what are the next steps?

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-05 07:55:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST980412ASG rev.0003SDM1
Running: gmer.exe; Driver: C:\DOCUME~1\Auser\LOCALS~1\Temp\uxldapob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641743391
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641904ad7
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00164193210a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641968c86
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001641743391 (not active ControlSet)

---- Files - GMER 1.0.15 ----

ADS C:\WINDOWS\71119859:214745851.exe 816 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\$NtUninstallKB12744$\1837272778 0 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444 0 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\L 0 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\L\jjiqbyxm 36352 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U 0 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@00000001 45968 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@000000c0 3584 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@000000cb 3072 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@80000000 23040 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@800000c0 35840 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@800000cb 23040 bytes
File C:\WINDOWS\$NtUninstallKB12744$\4080221444\U\@800000cf 27648 bytes

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\71119859:214745851.exe [MANUAL] f3333d04 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#3 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 05 November 2011 - 08:54 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.
Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

:multiple Anti Virus programs:

AV: AVG Internet Security 2012

AV: Avira AntiVir PersonalEdition

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#4 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 05 November 2011 - 10:08 PM

ComboFix 11-11-05.03 - Auser 11/05/2011 21:45:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.723 [GMT -5:00]
Running from: c:\documents and settings\Auser\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ARA.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-CHS.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-CHT.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-CSY.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-DAN.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-DEU.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ELL.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ENU.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ESN.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-FIN.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-FRA.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-HEB.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-HUN.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ITA.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-JPN.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-KOR.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-NLD.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-NOR.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-PLK.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-PTB.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-PTG.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-RUS.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-SVE.exe
c:\docume~1\Auser\LOCALS~1\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-TRK.exe
c:\docume~1\Auser\LOCALS~1\Temp\{433EACD8-4747-4A6A-826A-FFA9F39B0D40}\adobe_caps.dll
c:\docume~1\Auser\LOCALS~1\Temp\{433EACD8-4747-4A6A-826A-FFA9F39B0D40}\amtservices.dll
c:\docume~1\Auser\LOCALS~1\Temp\{433EACD8-4747-4A6A-826A-FFA9F39B0D40}\asneu.dll
c:\docume~1\Auser\LOCALS~1\Temp\Temporary Directory 2 for gmer.zip\gmer.exe
c:\documents and settings\Auser\Local Settings\Application Data\f3333d04
c:\documents and settings\Auser\Local Settings\Application Data\f3333d04\@
c:\documents and settings\Auser\Local Settings\Application Data\f3333d04\U\80000000.@
c:\documents and settings\Auser\Local Settings\Application Data\f3333d04\U\800000cb.@
c:\documents and settings\Auser\Local Settings\Application Data\f3333d04\X
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ARA.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-CHS.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-CHT.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-CSY.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-DAN.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-DEU.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ELL.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ENU.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ESN.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-FIN.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-FRA.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-HEB.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-HUN.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-ITA.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-JPN.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-KOR.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-NLD.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-NOR.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-PLK.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-PTB.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-PTG.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-RUS.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-SVE.exe
c:\documents and settings\Auser\Local Settings\Temp\{22B576E2-EA0A-446C-BE82-6914F0C28AB5}\{344BEB1C-12D1-4CEE-8D77-5BB3F81507FB}\WindowsXP-KB921411-x86-TRK.exe
c:\documents and settings\Auser\Local Settings\Temp\{433EACD8-4747-4A6A-826A-FFA9F39B0D40}\adobe_caps.dll
c:\documents and settings\Auser\Local Settings\Temp\{433EACD8-4747-4A6A-826A-FFA9F39B0D40}\amtservices.dll
c:\documents and settings\Auser\Local Settings\Temp\{433EACD8-4747-4A6A-826A-FFA9F39B0D40}\asneu.dll
c:\documents and settings\Auser\Local Settings\Temp\Temporary Directory 2 for gmer.zip\gmer.exe
c:\windows\$NtUninstallKB12744$\1837272778
c:\windows\$NtUninstallKB12744$\4080221444\@
c:\windows\$NtUninstallKB12744$\4080221444\L\jjiqbyxm
c:\windows\$NtUninstallKB12744$\4080221444\loader.tlb
c:\windows\$NtUninstallKB12744$\4080221444\U\@00000001
c:\windows\$NtUninstallKB12744$\4080221444\U\@000000c0
c:\windows\$NtUninstallKB12744$\4080221444\U\@000000cb
c:\windows\$NtUninstallKB12744$\4080221444\U\@000000cf
c:\windows\$NtUninstallKB12744$\4080221444\U\@80000000
c:\windows\$NtUninstallKB12744$\4080221444\U\@800000c0
c:\windows\$NtUninstallKB12744$\4080221444\U\@800000cb
c:\windows\$NtUninstallKB12744$\4080221444\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\iun6002.exe
c:\windows\system32\
c:\windows\system32\dbeaecca_d.dll
c:\windows\$NtUninstallKB12744$ . . . . Failed to delete
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\windows\Microsoft.NET\Framework\v2.0.50727\
.
Infected copy of c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{2364810A-D8D5-40BA-BC7A-47E293A1DEF6}\RP63\A0067551.ini
.
Infected copy of c:\windows\System32\WLTRYSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{2364810A-D8D5-40BA-BC7A-47E293A1DEF6}\RP67\A0073587.EXE
.
Infected copy of c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{2364810A-D8D5-40BA-BC7A-47E293A1DEF6}\RP63\A0067551.ini
Infected copy of c:\windows\System32\WLTRYSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{2364810A-D8D5-40BA-BC7A-47E293A1DEF6}\RP67\A0073587.EXE
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_f3333d04
.
.
((((((((((((((((((((((((( Files Created from 2011-10-06 to 2011-11-06 )))))))))))))))))))))))))))))))
.
.
2011-11-04 01:43 . 2011-11-04 01:43 -------- d-----w- c:\windows\system32\KB905474
2011-10-26 11:04 . 2011-10-26 11:12 -------- d-----w- c:\documents and settings\Auser\Application Data\Sammsoft
2011-10-26 05:41 . 2011-10-26 05:41 -------- d-----w- C:\$AVG
2011-10-26 05:01 . 2011-11-06 02:27 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-26 05:01 . 2011-11-06 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-26 05:00 . 2011-10-26 05:00 -------- d-----w- c:\program files\AVG
2011-10-26 04:18 . 2011-10-26 04:18 48016 --sha-w- c:\windows\system32\c_62654.nl_
2011-10-26 04:07 . 2011-10-26 13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-26 03:55 . 2011-10-26 03:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-26 02:27 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-26 02:18 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-26 02:08 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-26 02:00 . 2011-10-26 02:00 -------- d-----w- c:\documents and settings\Auser\Application Data\Malwarebytes
2011-10-26 01:55 . 2011-10-26 01:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-26 01:55 . 2011-10-26 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-26 00:19 . 2011-10-26 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-25 23:32 . 2011-10-26 01:54 -------- d-s---w- c:\documents and settings\Administrator
2011-10-25 18:16 . 2011-11-06 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-25 01:12 . 2011-10-25 01:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-08 03:38 . 2011-10-08 07:57 -------- d-----w- c:\documents and settings\Auser\Adobe Photoshop Elements 10
2011-10-08 03:37 . 2011-10-08 03:37 -------- d-----w- c:\documents and settings\Auser\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-10-08 03:37 . 2011-10-08 03:37 -------- d-----w- c:\program files\Adobe Download Assistant
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-08-31 996616]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-06-06 251744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Auser\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-3 1153824]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-31 02:00 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-31 02:00 138008 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-02-21 16:17 970752 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-02-21 16:19 819200 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-31 01:59 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Common Files\\Intuit\\Sync\\IntuitSyncManager.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\McAfee Security Scan\\2.0.181\\mcuicnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1031:TCP"= 1031:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [9/1/2011 2:22 AM 163828]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 163820]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [7/28/2011 5:03 PM 18560]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\AdobeAAMUpdater-1.0-D620-Auser.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-16 21:43]
.
2011-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-11-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-11-04 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\Auser\Application Data\Mozilla\Firefox\Profiles\owh448aq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 21:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3264)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-11-05 22:00:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-06 03:00
.
Pre-Run: 50,247,626,752 bytes free
Post-Run: 53,039,722,496 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 9B3C93CAB2F4E238E4E9DC547B64F6E1

I deleted AVG anti-virus from the computer. I would of rather of deleted the Avira Anti-virus but I am unable to delete the program. Additionally, I receive this message whenever I start the computer.

Window Title: Avira AntiVir Personal - Free Antivirus
Text in Window: CCPLG.XML:
Unable to find file (C:\Progarm Files\Avira\AnitVir Personal Edition Classic\ccplg.xml)

I do not know if this means that my antivirus is not working or if it is corrupted somehow. I would rather delete it and re-install AVG if possible....ideas?

Otherwise, I am not experiencing any redirections after selecting google search results so that looks GREAT!

#5 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 05 November 2011 - 10:13 PM

When I attempt to remove Avira AntiVir from add/remove programs i receive the message:

Setup could not determine the feature control file or was not able to read it correctly.

This is why I had two antivirus programs. Again I would like to remove Avira and Re-install AVG...ideas?

Thanks Gringo!

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 05 November 2011 - 10:15 PM

Hello

Let me know if this clears your other problems

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\c_62654.nl_

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

<-- Don't worry every little bit helps.

#7 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 05 November 2011 - 10:43 PM

ComboFix 11-11-05.03 - Auser 11/05/2011 22:32:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.498 [GMT -5:00]
Running from: c:\documents and settings\Auser\Desktop\Bleeping Computer\ComboFix.exe
Command switches used :: c:\documents and settings\Auser\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\system32\c_62654.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Auser\LOCALS~1\Temp\~nsu.tmp\Au_.exe
c:\documents and settings\Auser\Local Settings\Temp\~nsu.tmp\Au_.exe
c:\windows\system32\c_62654.nl_
.
.
((((((((((((((((((((((((( Files Created from 2011-10-06 to 2011-11-06 )))))))))))))))))))))))))))))))
.
.
2011-11-04 01:43 . 2011-11-04 01:43 -------- d-----w- c:\windows\system32\KB905474
2011-10-26 11:04 . 2011-10-26 11:12 -------- d-----w- c:\documents and settings\Auser\Application Data\Sammsoft
2011-10-26 05:41 . 2011-10-26 05:41 -------- d-----w- C:\$AVG
2011-10-26 05:01 . 2011-11-06 02:27 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-26 05:01 . 2011-11-06 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-26 05:00 . 2011-10-26 05:00 -------- d-----w- c:\program files\AVG
2011-10-26 04:07 . 2011-10-26 13:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-26 03:55 . 2011-10-26 03:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-26 02:27 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-26 02:18 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-26 02:08 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-10-26 02:00 . 2011-10-26 02:00 -------- d-----w- c:\documents and settings\Auser\Application Data\Malwarebytes
2011-10-26 01:55 . 2011-10-26 01:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-26 01:55 . 2011-10-26 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-10-26 00:19 . 2011-10-26 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-25 23:32 . 2011-10-26 01:54 -------- d-s---w- c:\documents and settings\Administrator
2011-10-25 18:16 . 2011-11-06 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-10-25 01:12 . 2011-10-25 01:12 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-08 03:38 . 2011-10-08 07:57 -------- d-----w- c:\documents and settings\Auser\Adobe Photoshop Elements 10
2011-10-08 03:37 . 2011-10-08 03:37 -------- d-----w- c:\documents and settings\Auser\Application Data\com.adobe.downloadassistant.AdobeDownloadAssistant
2011-10-08 03:37 . 2011-10-08 03:37 -------- d-----w- c:\program files\Adobe Download Assistant
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 10:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-06_02.57.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 10:00 . 2011-11-06 02:48 67510 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2011-11-06 03:01 67510 c:\windows\system32\perfc009.dat
+ 2011-11-06 03:38 . 2011-11-06 03:38 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\6c334564da041df8fb75415f2d503224\System.Windows.Presentation.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a54a122f1070ab71931dd9679ddd8e90\System.Web.DynamicData.Design.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\eaa8d72317e5b8047e413939cc71ffba\Microsoft.Vsa.ni.dll
+ 2004-08-04 10:00 . 2011-11-06 03:01 432594 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2011-11-06 02:48 432594 c:\windows\system32\perfh009.dat
+ 2011-11-06 03:38 . 2011-11-06 03:38 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\566b2e11e7f3f6d973b17b86cf42f9bc\System.Xml.Linq.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 130048 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\792090a77ce0b9adcac407cbd800c4a3\System.Web.Routing.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\018b6e48c32d5b5d78086998e3505f1c\System.Web.RegularExpressions.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\d93514a764a83b18f6f3547b59cc8ae9\System.Web.Extensions.Design.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\93b5d1b77a74b76ac73cbf51ec871c01\System.Web.Entity.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d06a7d5872bbe85795f947f6c75d38c6\System.Web.Entity.Design.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 554496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\6f997fc0b2f11759f8dd7399ba243274\System.Web.DynamicData.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 153600 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\9dbdcfb556dce4300f9c3f355080c6b9\System.Web.Abstractions.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 625664 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\cba4905a1b9a2afa4ed111d094050729\System.Transactions.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\81096bfe85eb0da5f05e8a127ffa43b2\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\b2a84980f206431821d85d5155d5916f\System.Net.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\90b90e700e59d73d6d692cf74e1ba16e\System.Management.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\f36eded354122da9555a6c7cdbdb5431\System.Management.Instrumentation.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\69792bef8a100a055db88848836a7d88\System.EnterpriseServices.Wrapper.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\69792bef8a100a055db88848836a7d88\System.EnterpriseServices.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\33e9b0c368c31ef37a2ec7b5a181044b\System.DirectoryServices.Protocols.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\11cdd1c0d65428cd3505d3813d36638c\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\29d7091f6eab0ec61c4eb625ed221b73\System.Configuration.Install.ni.dll
+ 2011-11-06 03:38 . 2011-11-06 03:38 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\17902fdb0e0d3bc8b49bce693415fe7e\System.WorkflowServices.ni.dll
+ 2011-11-06 03:38 . 2011-11-06 03:38 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\f72c5f649951b0403e62bfab6c453e6f\System.Workflow.Runtime.ni.dll
+ 2011-11-06 03:38 . 2011-11-06 03:38 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\0aa4f4174204c93cc5181df4a6b2fb09\System.Workflow.ComponentModel.ni.dll
+ 2011-11-06 03:38 . 2011-11-06 03:38 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\921629dc69a5a895101097c88ae67897\System.Workflow.Activities.ni.dll
+ 2011-11-06 03:38 . 2011-11-06 03:38 1838080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\637ef663971cf922a9b9ec0f82d0935b\System.Web.Services.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\f5dac0448a1dbe2687a5df92904d6274\System.Web.Mobile.ni.dll
+ 2011-11-06 03:37 . 2011-11-06 03:37 2430464 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\1d445034d000cf5be9e61f605400bc3e\System.Web.Extensions.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\9ec7da53380a754b4ad97709df0dd7e7\System.ServiceModel.Web.ni.dll
+ 2011-11-06 03:36 . 2011-11-06 03:36 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\8ad32b72258899177c07dc5912b5b748\Microsoft.JScript.ni.dll
+ 2011-11-06 03:38 . 2011-11-06 03:38 11799552 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\ea3e9a0577d48f5fea3c08ccf7f19a6f\System.Web.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-08-31 996616]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-06-06 251744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Auser\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-3 1153824]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-03-31 02:00 162584 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-03-31 02:00 138008 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-02-21 16:17 970752 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-02-21 16:19 819200 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-03-31 01:59 138008 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\Common Files\\Intuit\\Sync\\IntuitSyncManager.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jaucheck.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1323:TCP"= 1323:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [9/1/2011 2:22 AM 163828]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [9/30/2010 4:06 AM 163820]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [7/28/2011 5:03 PM 18560]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\AdobeAAMUpdater-1.0-D620-Auser.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-16 21:43]
.
2011-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-11-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-11-04 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\Auser\Application Data\Mozilla\Firefox\Profiles\owh448aq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 22:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-11-05 22:40:37
ComboFix-quarantined-files.txt 2011-11-06 03:40
ComboFix2.txt 2011-11-06 03:00
.
Pre-Run: 53,080,211,456 bytes free
Post-Run: 52,984,729,600 bytes free
.
- - End Of File - - A8C0A54653AA7FA2C820156BDDED5FF0

Everything is working great! I will restart and check functionality again.

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 05 November 2011 - 10:48 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo

<-- Don't worry every little bit helps.

#9 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 06 November 2011 - 08:47 PM

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\Auser\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe: Access is denied.

..

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe: Access is denied.

...

...

...

..
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

.

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini: Access is denied.

.

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\WINDOWS\system32\MRT.exe: Access is denied.

...

...

..No reparse points found.

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 06 November 2011 - 10:00 PM

Hello

We need to reset some permisions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\Documents and Settings\Auser\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
c:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
c:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini
c:\WINDOWS\system32\MRT.exe

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Gringo

<-- Don't worry every little bit helps.

#11 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 07 November 2011 - 10:36 AM

GrantPerms by Farbar
Ran by Auser at 2011-11-07 09:36:19

===============================================
\\?\c:\Documents and Settings\Auser\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\WINDOWS\assembly\GAC_MSIL\Desktop(2).ini

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

\\?\c:\WINDOWS\system32\MRT.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)

THANKS GRINGO!

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 07 November 2011 - 12:48 PM

Hello

Now is a great time to check things out and let me know if everything is working as it should

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

start

settings

control panel

add/remove programs

Adobe Reader 8
Java™ 6 Update 7

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Malwarebytes' Anti-Malware

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#13 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 07 November 2011 - 03:08 PM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8109

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/7/2011 1:58:17 PM
mbam-log-2011-11-07 (13-58-17).txt

Scan type: Quick scan
Objects scanned: 180851
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:05:22 PM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V10 (AdobeActiveFileMonitor10.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V9 (AdobeActiveFileMonitor9.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)
O23 - Service: QBCFMonitorService - Unknown owner - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6335 bytes

My pc is running like a champ!

I am still getting the error message from Avira when I startup the computer. I am still not able to delete it either. From what you can see from the logs is Avira still protecting my computer?

Thanks Gringo!

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,524
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 07 November 2011 - 04:02 PM

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

<-- Don't worry every little bit helps.

#15 SethVR

New Member

Group: Members
Posts: 10
Joined: 03-November 11

Posted 07 November 2011 - 10:27 PM

Share this topic:

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

BleepingComputer.com: Jump/Re-Direct virus or malware

Forum Guidelines

Jump/Re-Direct virus or malware do not know how to remove

#1 SethVR

Attached File(s)

#2 SethVR

#3 gringo_pr

#4 SethVR

#5 SethVR

#6 gringo_pr

#7 SethVR

#8 gringo_pr

#9 SethVR

#10 gringo_pr

#11 SethVR

#12 gringo_pr

#13 SethVR

#14 gringo_pr

#15 SethVR

Share this topic:

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Delete Post

Skin and Language

Execution Stats

BleepingComputer.com: Jump/Re-Direct virus or malware

Forum Guidelines

Jump/Re-Direct virus or malware do not know how to remove

Attached File(s)

Share this topic:

1 User(s) are reading this topic 0 members, 1 guests, 0 anonymous users

Delete Post

Skin and Language

Execution Stats

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users