Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had vundo and probably agent


  • This topic is locked This topic is locked
27 replies to this topic

#1 wacque

wacque

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 05 February 2009 - 06:18 PM

Thank you for your help.
Several weeks ago I was infected with vundo & agent completly knocking me off the internet. I downloaded and ran Malwarebytes Anti-Malware, SUPER AntiSpyware and VundoFix using a flash drive and each of these are now showing 0 threats/infections however I still can not connect to the internet so I suspect I still have a problem and could use your help. I use Sygate for a firewall and for the life of me it will not let me open it up to turn it off but I went ahead and ran my DDS log anyhow. Any suggestions would be most appreciated because I am in waaaay over my head.
Thanks,
Jacque


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jacque at 15:37:51.33 on Thu 02/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.133 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\LVCOMSX.EXE
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Documents and Settings\Jacque\Application Data\Smilebox\SmileboxTray.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
F:\Program Files\3M\PSNLite\PsnLite.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\PROGRA~1\3M\PSNLite\PSNGive.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\WINDOWS\system32\hpoipm07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
F:\Documents and Settings\Jacque\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - f:\program files\yahoo!\common\yiesrvc.dll
BHO: {62e5fbb8-e9f8-4467-9d6d-aaa640bf0eb2} - f:\windows\system32\geBsstrS.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - f:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "f:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LDM] \Program\BackWeb-8876480.exe
uRun: [<NO NAME>]
uRun: [SUPERAntiSpyware] f:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SmileboxTray] "f:\documents and settings\jacque\application data\smilebox\SmileboxTray.exe"
mRun: [SmcService] f:\progra~1\sygate\spf\smc.exe -startgui
mRun: [Share-to-Web Namespace Daemon] f:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [LVCOMSX] f:\windows\system32\LVCOMSX.EXE
mRun: [HP Software Update] f:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] f:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRunOnce: [HPSoftwareUpdate] f:\program files\hp\hp software update\HPWUCli.exe
StartupFolder: f:\docume~1\jacque\startm~1\programs\startup\yahoo!~1.lnk - f:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - f:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - f:\program files\hewlett-packard\aio\hp psc 900 series\bin\hpobrt07.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - f:\program files\3m\psnlite\PsnLite.exe
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 01000000
IE: &Yahoo! Search - file:///f:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Ad Hunter - f:\program files\myie2\config/blacklist.htm
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///f:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///f:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///f:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - f:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://f:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} - hxxp://download.paltalk.com/wcloader_prod/wcloader.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - f:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://phpistons.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123115367996
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://phpistons.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38074.6646064815
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 f:\windows\system32\geBsstrS

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2008-5-14 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;f:\windows\system32\drivers\avgmfx86.sys [2007-2-3 26824]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aawservice;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8emc;AVG8 E-mail Scanner;f:\progra~1\avg\avg8\avgemc.exe [2008-7-2 875288]
R2 avg8wd;AVG8 WatchDog;f:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 231704]
R2 AvgTdiX;AVG8 Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2008-5-14 76040]
R3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 JL2005C;Dual Mode Camera;f:\windows\system32\drivers\jl2005c.sys [2008-5-10 62794]

=============== Created Last 30 ================

2009-02-03 13:37 <DIR> --d----- f:\windows\system32\NtmsData
2009-02-03 08:14 <DIR> --d----- f:\program files\McAfee.com
2009-01-22 18:01 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-22 18:01 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-01-22 18:01 <DIR> --d----- f:\docume~1\jacque\applic~1\SUPERAntiSpyware.com
2009-01-21 23:22 <DIR> --d----- F:\VundoFix Backups
2009-01-21 22:57 15,504 a------- f:\windows\system32\drivers\mbam.sys
2009-01-21 22:57 38,496 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 12:55 <DIR> --d----- f:\docume~1\jacque\applic~1\Malwarebytes
2009-01-21 12:55 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:55 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-16 22:10 45,904 a------- f:\windows\system32\GDIPFONTCACHEV1.DAT

==================== Find3M ====================

2009-01-30 21:03 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-01-22 18:13 2,180 a------- f:\windows\system32\d3d8caps.dat
2009-01-11 20:11 219,734 a------- f:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2005-10-21 21:01 21 a------- f:\program files\AVPersonalAVWIN.INI
2001-08-23 08:00 94,784 ---sh--- f:\windows\twain.dll
2004-08-04 00:56 50,688 ---sh--- f:\windows\twain_32.dll
2004-08-04 00:56 1,028,096 ---sh--- f:\windows\system32\mfc42.dll
2004-08-04 00:56 54,784 ---sh--- f:\windows\system32\msvcirt.dll
2004-08-04 00:56 413,696 a--sh--- f:\windows\system32\msvcp60.dll
2004-08-04 00:56 343,040 ---sh--- f:\windows\system32\msvcrt.dll
2004-08-04 00:56 553,472 ---sh--- f:\windows\system32\oleaut32.dll
2004-08-04 00:56 83,456 ---sh--- f:\windows\system32\olepro32.dll
2004-08-04 00:56 11,776 ---sh--- f:\windows\system32\regsvr32.exe
2008-04-12 09:49 181,035 a--sh--- f:\windows\system32\SrtssBeg.ini2

============= FINISH: 15:38:55.33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:27 AM

Posted 18 February 2009 - 12:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 February 2009 - 04:17 PM

Oh Yeah!!!!! I know y'all are busy so I appreciate and Thank you for helping!
Yes, I still can't connect to the internet but I have run everything I can to clean my computer but I don't know if there is something hiding that will not let me get online so I don't know what to do next. I have run Malwarebytes, SuperAntiSpyware, VundoFix & Combofix

My IP service says they show me connected and actually sent someone to check the modem physically (no router) to make sure it and its cables are working and they say it is fine as well as my IP address (& I can connect with another computer on same lines and modem -- I am currently using to download files with a thumb drive). My computer shows that it connects (although the Activity of the packets seems wrong to me but I don't really know -- this is all a HUGE learning curve for me). When I open IE I get the message Action Cancelled - the page cannot be displayed - cannot find server as do all my programs that try to access the internet.

Also during the wait I have discovered that I have AVG and AntiVir both running. I use AVG and thought AntiVir was uninstalled -- I do not show AntiVir in my system bar nor do I find it anywhere in the add/remove files so that will show up in my logs. Also my sygate firewall is still not showing up. When I click it to open nothing happens. It is like it is gone or like it is missing files to make it work - ???vundo???

Someone suggested I download winsockxpfix to see if that would fix it but still nothing. So I don't know if I actually got everything or if you can help but I sure need it. Here are my logs (I'm including the others for good measure):

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jacque at 13:32:22.48 on Wed 02/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.165 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Documents and Settings\Jacque\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - f:\program files\yahoo!\common\yiesrvc.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - f:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "f:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] f:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SmcService] f:\progra~1\sygate\spf\smc.exe -startgui
mRun: [Share-to-Web Namespace Daemon] f:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [HP Software Update] f:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] f:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRunOnce: [HPSoftwareUpdate] f:\program files\hp\hp software update\HPWUCli.exe
StartupFolder: f:\docume~1\jacque\startm~1\programs\startup\yahoo!~1.lnk - f:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - f:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - f:\program files\hewlett-packard\aio\hp psc 900 series\bin\hpobrt07.exe
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 01000000
IE: &Yahoo! Search - file:///f:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Ad Hunter - f:\program files\myie2\config/blacklist.htm
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///f:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///f:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///f:\program files\yahoo!\Common/ycsms.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - f:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://f:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} - hxxp://download.paltalk.com/wcloader_prod/wcloader.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - f:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://phpistons.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123115367996
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://phpistons.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38074.6646064815
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
TCP: {1FD6568C-2DB2-4855-8A98-2ECC67FD5BD8} = 68.87.85.98,68.87.69.146
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2008-5-14 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;f:\windows\system32\drivers\avgmfx86.sys [2007-2-3 26824]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aawservice;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8emc;AVG8 E-mail Scanner;f:\progra~1\avg\avg8\avgemc.exe [2008-7-2 875288]
R2 avg8wd;AVG8 WatchDog;f:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 231704]
R2 AvgTdiX;AVG8 Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2008-5-14 76040]
R3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 JL2005C;Dual Mode Camera;f:\windows\system32\drivers\jl2005c.sys [2008-5-10 62794]

=============== Created Last 30 ================

2009-02-12 10:23 161,792 a------- f:\windows\SWREG.exe
2009-02-12 10:23 98,816 a------- f:\windows\sed.exe
2009-02-10 14:11 <DIR> --d----- f:\program files\Trend Micro
2009-02-05 21:49 <DIR> --dshr-- F:\cmdcons
2009-02-05 21:49 <DIR> --d----- f:\windows\setup.pss
2009-02-03 13:37 <DIR> --d----- f:\windows\system32\NtmsData
2009-02-03 08:14 <DIR> --d----- f:\program files\McAfee.com
2009-01-22 18:01 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-22 18:01 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-01-22 18:01 <DIR> --d----- f:\docume~1\jacque\applic~1\SUPERAntiSpyware.com
2009-01-21 22:57 15,504 a------- f:\windows\system32\drivers\mbam.sys
2009-01-21 22:57 38,496 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 12:55 <DIR> --d----- f:\docume~1\jacque\applic~1\Malwarebytes
2009-01-21 12:55 <DIR> --d----- f:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:55 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-01-30 21:03 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-01-22 18:13 2,180 a------- f:\windows\system32\d3d8caps.dat
2009-01-16 22:10 45,904 a------- f:\windows\system32\GDIPFONTCACHEV1.DAT
2005-10-21 21:01 21 a------- f:\program files\AVPersonalAVWIN.INI
2001-08-23 08:00 94,784 ---sh--- f:\windows\twain.dll
2004-08-04 00:56 50,688 ---sh--- f:\windows\twain_32.dll
2004-08-04 00:56 1,028,096 ---sh--- f:\windows\system32\mfc42.dll
2004-08-04 00:56 54,784 ---sh--- f:\windows\system32\msvcirt.dll
2004-08-04 00:56 413,696 a--sh--- f:\windows\system32\msvcp60.dll
2004-08-04 00:56 343,040 ---sh--- f:\windows\system32\msvcrt.dll
2004-08-04 00:56 553,472 ---sh--- f:\windows\system32\oleaut32.dll
2004-08-04 00:56 83,456 ---sh--- f:\windows\system32\olepro32.dll
2004-08-04 00:56 11,776 ---sh--- f:\windows\system32\regsvr32.exe

============= FINISH: 13:33:13.46 ===============

[b][/b]MALWAREBYTES LOG
Malwarebytes' Anti-Malware 1.33
Database version: 1736
Windows 5.1.2600 Service Pack 2

2/18/2009 1:47:36 PM
mbam-log-2009-02-18 (13-47-36).txt

Scan type: Quick Scan
Objects scanned: 54620
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

COMBOFIX LOG from 2/12

ComboFix 09-02-11.02 - Jacque 2009-02-12 10:26:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.383.155 [GMT -7:00]
Running from: G:\ComboFix.exe
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\windows\regedit.com
f:\windows\system32\SrtssBeg.ini
f:\windows\system32\SrtssBeg.ini2
f:\windows\system32\taskmgr.com

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2009-02-10 14:35 . 2009-02-10 14:36 <DIR> d-------- F:\rsit
2009-02-10 14:11 . 2009-02-10 14:11 <DIR> d-------- f:\program files\Trend Micro
2009-02-03 13:37 . 2009-02-03 13:44 <DIR> d-------- f:\windows\system32\NtmsData
2009-02-03 08:14 . 2009-02-03 08:14 <DIR> d-------- f:\program files\McAfee.com
2009-01-22 18:01 . 2009-01-22 18:01 <DIR> d-------- f:\program files\SUPERAntiSpyware
2009-01-22 18:01 . 2009-01-22 18:01 <DIR> d-------- f:\documents and settings\Jacque\Application Data\SUPERAntiSpyware.com
2009-01-22 18:01 . 2009-01-22 18:01 <DIR> d-------- f:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-21 22:57 . 2009-01-14 16:11 38,496 --a------ f:\windows\system32\drivers\mbamswissarmy.sys
2009-01-21 22:57 . 2009-01-14 16:11 15,504 --a------ f:\windows\system32\drivers\mbam.sys
2009-01-21 12:55 . 2009-01-21 22:57 <DIR> d-------- f:\program files\Malwarebytes' Anti-Malware
2009-01-21 12:55 . 2009-01-21 12:55 <DIR> d-------- f:\documents and settings\Jacque\Application Data\Malwarebytes
2009-01-21 12:55 . 2009-01-21 12:55 <DIR> d-------- f:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 22:10 . 2009-01-16 22:10 45,904 --a------ f:\windows\system32\GDIPFONTCACHEV1.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 04:17 --------- d---a-w f:\documents and settings\All Users\Application Data\TEMP
2009-02-07 18:30 --------- d-----w f:\documents and settings\Jacque\Application Data\Smilebox
2009-02-07 17:55 --------- d-----w f:\program files\Spybot - Search & Destroy
2009-01-23 06:29 --------- d-----w f:\program files\SpywareBlaster
2009-01-23 00:51 --------- d-----w f:\program files\Common Files\Wise Installation Wizard
2009-01-15 23:25 --------- d-----w f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 02:33 --------- d--h--w f:\documents and settings\Jacque\Application Data\Move Networks
2009-01-04 08:25 --------- d-----w f:\program files\MYIE2
2005-10-22 04:01 21 ----a-w f:\program files\AVPersonalAVWIN.INI
2001-08-23 15:00 94,784 --sh--w f:\windows\twain.dll
2004-08-04 07:56 50,688 --sh--w f:\windows\twain_32.dll
2004-08-04 07:56 1,028,096 --sh--w f:\windows\system32\mfc42.dll
2004-08-04 07:56 54,784 --sh--w f:\windows\system32\msvcirt.dll
2004-08-04 07:56 413,696 --sha-w f:\windows\system32\msvcp60.dll
2004-08-04 07:56 343,040 --sh--w f:\windows\system32\msvcrt.dll
2004-08-04 07:56 553,472 --sh--w f:\windows\system32\oleaut32.dll
2004-08-04 07:56 83,456 --sh--w f:\windows\system32\olepro32.dll
2004-08-04 07:56 11,776 --sh--w f:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="f:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 4670968]
"SUPERAntiSpyware"="f:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="f:\progra~1\Sygate\SPF\smc.exe" [2003-10-21 2334792]
"Share-to-Web Namespace Daemon"="f:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Synchronization Manager"="f:\windows\system32\mobsync.exe" [2004-08-04 143360]
"HP Software Update"="f:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="f:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"TkBellExe"="f:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-21 185896]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"HPSoftwareUpdate"="f:\program files\HP\HP Software Update\HPWUCli.exe" [2008-06-10 689456]

f:\documents and settings\Jacque\Start Menu\Programs\Startup\
Yahoo! Widget Engine.lnk - f:\program files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 2913584]

f:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - f:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HPAiODevice(hp psc 900 series) - 1.lnk - f:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-07-23 487484]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStrCmpLogical"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "f:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 f:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-10-13 16:04 278528 f:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-01-18 17:07 196608 f:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-01-18 17:47 458752 f:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-01-18 17:37 217088 f:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
--------- 2008-10-16 07:22 254600 f:\documents and settings\Jacque\Application Data\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-05-15 16:11 3644464 f:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
--a------ 2006-04-19 23:35 237568 f:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SmileboxTray"="f:\documents and settings\Jacque\Application Data\Smilebox\SmileboxTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LVCOMSX"=f:\windows\system32\LVCOMSX.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\MYIE2\\MyIE.exe"=
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"f:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"f:\\Program Files\\Conference\\Conference.dll"=
"f:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"f:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2008-05-14 97928]
R1 SASDIFSV;SASDIFSV;f:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;f:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8emc;AVG8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe [2008-07-02 875288]
R2 avg8wd;AVG8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 231704]
R2 AvgTdiX;AVG8 Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2008-05-14 76040]
R3 SASENUM;SASENUM;f:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
- - - - ORPHANS REMOVED - - - -

BHO-{62E5FBB8-E9F8-4467-9D6D-AAA640BF0EB2} - f:\windows\system32\geBsstrS.dll
HKCU-Run-LDM - \Program\BackWeb-8876480.exe


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
IE: &Yahoo! Search - file:///f:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Ad Hunter - f:\program files\MYIE2\config/blacklist.htm
IE: E&xport to Microsoft Excel - f:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///f:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///f:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///f:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: microsoft.com\office
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://f:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 10:28:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(432)
f:\windows\system32\avgrsstx.dll
f:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(500)
f:\windows\system32\avgrsstx.dll
.
Completion time: 2009-02-12 10:32:16
ComboFix-quarantined-files.txt 2009-02-12 17:31:29

Pre-Run: 111,336,894,464 bytes free
Post-Run: 111,326,523,392 bytes free

165

HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:28 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Sygate\SPF\smc.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - F:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [HPSoftwareUpdate] F:\Program Files\HP\HP Software Update\HPWUCli.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [HPSoftwareUpdate] F:\Program Files\HP\HP Software Update\HPWUCli.exe (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Ad Hunter - F:\Program Files\MYIE2\config/blacklist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: f:\windows\system32\nwprovau.dll
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.paltalk.com/wcloader_prod/wcloader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - F:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://phpistons.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123115367996
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://phpistons.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FD6568C-2DB2-4855-8A98-2ECC67FD5BD8}: NameServer = 68.87.85.98,68.87.69.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - F:\Program Files\Sygate\SPF\smc.exe
O24 - Desktop Component 0: (no name) - http://upload.wikimedia.org/wikipedia/comm...osaic_18000.jpg

--
End of file - 9265 bytes

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 18 February 2009 - 06:51 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Looks good.

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Take a new DDS.txt log after. Please tell me of any symptoms of infection at the moment.

With Regards,
The Panda

#5 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 18 February 2009 - 08:38 PM

Hi Panda!
Forgive the dumb question but in order to update my computer don't I need to be able to connect to the internet?
I am currently using a different computer to access the internet. The computer that I posted logs for only shows that I have internet connection in my Network Connections but when I click IE I get Action Cancelled - the page can not be displayed - cannot find server. When I click the update link it is sending me the updates for the computer that can connect. Is there some way to do this using a thumb drive? I hope I am making sense.
(btw I did go ahead and update this computer but I don't think helps the other :thumbup2: )

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 19 February 2009 - 08:18 AM

Hello.

Let's try to repair the connection by installing Service Pack 3.

First, we'll create backups.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Go to Start > Programs > Accessories > System Tools and click System Restore.
Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
---
Download the full setup package for SP3. Transfer it to the problem computer and install.

Tell me how it goes.

With Regards,
The Panda

#7 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 20 February 2009 - 01:02 AM

Thank You Panda
I installed ERUNT successfully & created a backup. I created a restore point and I downloaded SP3 seemingly without a hitch but still no internet. When I tried to connect with IE I got the message "The page cannot be displayed" and it gave the option of diagnosing the connection.

So here is that log if it helps any:

Last diagnostic run time: 02/19/09 22:46:38
WinSock Diagnostic
WinSock status
info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call

Network Adapter Diagnostic
Network location detection
info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection 3, Device=Realtek RTL8139/810x Family Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=1394 Connection 2, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Network connection: Name=MSN Explorer, Device=Lucent Win Modem, MediaType=PHONE, SubMediaType=NONE
info Ethernet connection selected
Network adapter status

info Network connection status: Connected

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 20 February 2009 - 12:03 PM

Hello.

Let's try WinSockFix.

To Restore Connection Using WinsockXPFix
This tool should only be used on Windows NT4, 2000, and XP (and variants). Use on any other operating system may cause serious damage.
  • Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  • Copy the file to the desktop on the damaged computer.
  • Double click on [b]Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot.
Please let me know if your connection is restored in your next reply.

With Regards,
The Panda

#9 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 20 February 2009 - 03:37 PM

Hi Panda
I ran WinsockXPFix which rebooted the computer and then I tried to connect and nope, still "the page cannot be displayed".
Ran Diagonose Connection Problem and it is telling me:
"Windows has detected a problem with the Winsock provider catalog on this computer. This catalog allows progams to communicate with this computer across the network. Would you like Windows to reset the catalog to the default configuration? This computer might need to be restarted to restore network connectivity."

I wanted to check with you first but I think I would say "yes" or do you want me to cancel and do something else?
Thanks
Jacque

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 20 February 2009 - 03:48 PM

Yes and reboot.

The Panda

#11 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 21 February 2009 - 12:29 AM

Fooyie - I was hoping that would work. I clicked yes and rebooted and still nothing.
Here is the new diagnose log again:
Last diagnostic run time: 02/20/09 16:15:44
WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call

Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection 3, Device=Realtek RTL8139/810x Family Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=1394 Connection 2, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Network connection: Name=MSN Explorer, Device=Lucent Win Modem, MediaType=PHONE, SubMediaType=NONE
info Ethernet connection selected
Network adapter status

info Network connection status: Connected

HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 21 February 2009 - 11:24 AM

Hello.

Please click on you Start Menu -> Run -> cmd.exe
In the command prompt that opens, type:
netsh winsock reset catalog

Reboot.

Any change?

With Regards,
The Panda

#13 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 21 February 2009 - 06:49 PM

Reset - Reboot and still no internet. It is the same message as before - no change.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:27 AM

Posted 21 February 2009 - 06:55 PM

Hello.

Let's make sure there is no rootkit at work.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Also take a new DDS.txt log please.

With Regards,
The Panda

#15 wacque

wacque
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 21 February 2009 - 10:07 PM

Here you go:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-02-21 20:02:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT \??\F:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess
SSDT \??\F:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\F:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\F:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F31905A8] avgtdix.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F7AB2360] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F7AB26A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F319143E] avgtdix.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F31905A8] avgtdix.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F7AB2360] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F7AB26A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F319143E] avgtdix.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F31905A8] avgtdix.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F7AB2360] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F7AB26A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F319143E] avgtdix.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F31905A8] avgtdix.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F7AB2360] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F7AB26A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F319143E] avgtdix.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F31905A8] avgtdix.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F7AB2360] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F7AB26A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F319143E] avgtdix.sys

---- Files - GMER 1.0.12 ----

ADS F:\Documents and Settings\All Users\Application Data\TEMP:25DB76AE
ADS F:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
ADS F:\Documents and Settings\All Users\Application Data\TEMP:E965A533

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!IPRegisterProtocol + 8A7 F3959480 6 Bytes CALL F7615200 Teefer.sys
.text tcpip.sys!IPTransmit + 10FC F3941D3A 6 Bytes CALL F7615200 Teefer.sys
.text tcpip.sys!IPTransmit + 2A52 F3943690 6 Bytes CALL F7615200 Teefer.sys
.text wanarp.sys F798E3FD 4 Bytes CALL F7615350 Teefer.sys
.text wanarp.sys F798E402 2 Bytes [ 90, 90 ]

---- EOF - GMER 1.0.12 ----
----------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jacque at 20:03:42.85 on Sat 02/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.78 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\WINDOWS\System32\svchost.exe -k imgsvc
F:\WINDOWS\Explorer.EXE
F:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
F:\Program Files\QuickTime\qttask.exe
F:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\HP\HP Software Update\HPWuSchd2.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
F:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
F:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
F:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
F:\Documents and Settings\Jacque\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1;localhost
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - f:\program files\yahoo!\common\yiesrvc.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - f:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - f:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "f:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] f:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SmcService] f:\progra~1\sygate\spf\smc.exe -startgui
mRun: [Share-to-Web Namespace Daemon] f:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [HP Software Update] f:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] f:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRunOnce: [HPSoftwareUpdate] f:\program files\hp\hp software update\HPWUCli.exe
StartupFolder: f:\docume~1\jacque\startm~1\programs\startup\erunta~1.lnk - f:\program files\erunt\AUTOBACK.EXE
StartupFolder: f:\docume~1\jacque\startm~1\programs\startup\yahoo!~1.lnk - f:\program files\yahoo!\widgets\YahooWidgetEngine.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - f:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - f:\program files\hewlett-packard\aio\hp psc 900 series\bin\hpobrt07.exe
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 01000000
IE: &Yahoo! Search - file:///f:\program files\yahoo!\Common/ycsrch.htm
IE: Add to Ad Hunter - f:\program files\myie2\config/blacklist.htm
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///f:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///f:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///f:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - f:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
Trusted Zone: plaxo.com\www
DPF: Microsoft XML Parser for Java - file://f:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} - hxxp://downloads.comcast.net/videomail/vmLauncher.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} - hxxp://download.paltalk.com/wcloader_prod/wcloader.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - f:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://phpistons.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123115367996
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://phpistons.spaces.live.com/PhotoUpload/MsnPUpld.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38074.6646064815
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - f:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - f:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;f:\windows\system32\drivers\avgldx86.sys [2008-5-14 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;f:\windows\system32\drivers\avgmfx86.sys [2007-2-3 26824]
R1 SASDIFSV;SASDIFSV;f:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;f:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 aawservice;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8emc;AVG8 E-mail Scanner;f:\progra~1\avg\avg8\avgemc.exe [2008-7-2 875288]
R2 avg8wd;AVG8 WatchDog;f:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 231704]
R2 AvgTdiX;AVG8 Network Redirector;f:\windows\system32\drivers\avgtdix.sys [2008-5-14 76040]
R3 SASENUM;SASENUM;f:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 JL2005C;Dual Mode Camera;f:\windows\system32\drivers\jl2005c.sys [2008-5-10 62794]

=============== Created Last 30 ================

2009-02-21 18:49 250 a------- f:\windows\gmer.ini
2009-02-19 22:20 6,144 -------- f:\windows\system32\kbdpash.dll
2009-02-19 22:15 <DIR> --d----- f:\windows\network diagnostic
2009-02-19 22:15 144,384 -------- f:\windows\system32\drivers\hdaudbus.sys
2009-02-19 22:14 10,240 -------- f:\windows\system32\drivers\sffp_mmc.sys
2009-02-19 22:12 19,569 a------- f:\windows\006033_.tmp
2009-02-12 10:23 161,792 a------- f:\windows\SWREG.exe
2009-02-12 10:23 98,816 a------- f:\windows\sed.exe
2009-02-10 14:11 <DIR> --d----- f:\program files\Trend Micro
2009-02-05 21:49 <DIR> --dshr-- F:\cmdcons
2009-02-05 21:49 <DIR> --d----- f:\windows\setup.pss
2009-02-03 13:37 <DIR> --d----- f:\windows\system32\NtmsData
2009-02-03 08:14 <DIR> --d----- f:\program files\McAfee.com

==================== Find3M ====================

2009-02-19 22:24 86,327 a------- f:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-30 21:03 1,744 a------- f:\windows\system32\d3d9caps.dat
2009-01-22 18:13 2,180 a------- f:\windows\system32\d3d8caps.dat
2009-01-16 22:10 45,904 a------- f:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-14 16:11 38,496 a------- f:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- f:\windows\system32\drivers\mbam.sys
2005-10-21 21:01 21 a------- f:\program files\AVPersonalAVWIN.INI
2001-08-23 08:00 94,784 ---sh--- f:\windows\twain.dll
2008-04-14 05:42 50,688 ---sh--- f:\windows\twain_32.dll
2008-04-14 05:41 1,028,096 a--sh--- f:\windows\system32\mfc42.dll
2008-04-14 05:42 57,344 ---sh--- f:\windows\system32\msvcirt.dll
2008-04-14 05:42 413,696 a--sh--- f:\windows\system32\msvcp60.dll
2008-04-14 05:42 343,040 a--sh--- f:\windows\system32\msvcrt.dll
2008-04-14 05:42 551,936 ---sh--- f:\windows\system32\oleaut32.dll
2008-04-14 05:42 84,992 a--sh--- f:\windows\system32\olepro32.dll
2008-04-14 05:42 11,776 ---sh--- f:\windows\system32\regsvr32.exe

============= FINISH: 20:04:35.37 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users