Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple malware incl. relevant knowledge


  • Please log in to reply
9 replies to this topic

#1 bdmerz

bdmerz

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:07:07 PM

Posted 15 February 2009 - 03:07 PM

i have been receiving help from Mark (garmanma) at the "am i infected" forum and this is the next step that he has recommended.
Original Thread

i am helping to clean someone else's computer an i have run many scans including AVG, AD-Aware, Avira, Norton 360, Malwarebytes, SuperAnti-spyware, ccleaner, atf cleaner and dr web cure it.

the original symptoms were limited connectivity and redirected web pages, as well as spyware guard 2009 popping open repeatedly. i looked online and found walkthroughs to clean it by deleting registry files, and other files known to be associated with the program. i returned the computer as it seemed to work well and AVG and Ad-aware both cleared out some files. but in a week the connectivity problem returned without spyware guard 2009. i did some work on it and found relevant knowledge and did my best to remove it as recommended by different web pages. but the problem did not seem to be resolved and i started the original thread at about that point and followed his prescriptions bringing me to you here.

thank you very much for your help, here is my dds.txt:


DDS (Ver_09-02-01.01) - NTFSx86
Run by angie martain at 14:44:05.98 on Sun 02/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.174 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
AV: Norton 360 *On-access scanning enabled* (Outdated)
FW: Norton 360 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\angie martain\Application Data\U3\0000060414049665\LaunchPad.exe
C:\Documents and Settings\angie martain\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRfox000&fl=0&ptb=7ZNLGBxDSmEdWg65uChw3Q&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {89E9964C-A342-47A4-8061-37DC19CED2D5} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [DLCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCGtime.dll,_RunDLLEntry@16
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
StartupFolder: c:\docume~1\angiem~1\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: yayxWpnK - yayxWpnK.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkLDspQ

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angiem~1\applic~1\mozilla\firefox\profiles\14npdc58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11088&client_id=713448afa54a78889c0bec78&camp_id=-1&install_time=2008-12-07T00:32:28Z&tb_version=2.0.0%28F%29pr=auto&q=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\components\dompilot3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - HiddenExtension: *xg.dll: {6E19037A-12E3-4295-8915-ED48BC341614} - c:\program files\

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-2-10 11840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-16 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-10 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-10 151297]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-16 76040]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-18 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-18 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-18 149352]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-2-10 52032]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-7 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVENG.SYS [2009-2-7 82256]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080213.036\NAVEX15.SYS [2009-2-7 895312]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-2-7 1245064]

=============== Created Last 30 ================

2009-02-14 20:50 --d----- c:\documents and settings\angie martain\DoctorWeb
2009-02-12 19:43 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-12 19:43 --d----- c:\program files\SUPERAntiSpyware
2009-02-12 19:43 --d----- c:\docume~1\angiem~1\applic~1\SUPERAntiSpyware.com
2009-02-10 07:01 --d----- c:\program files\Avira
2009-02-10 07:01 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-02-09 21:39 --d----- c:\program files\common files\Wise Installation Wizard
2009-02-09 17:56 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 17:56 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-07 01:43 --d----- c:\windows\Cache
2009-02-07 00:07 --d----- c:\program files\Norton 360
2009-02-07 00:05 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-07 00:05 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-07 00:05 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-07 00:05 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-06 20:28 --d----- c:\program files\Trend Micro
2009-02-06 20:23 389,120 a------- c:\windows\system32\CF14157.exe
2009-02-06 20:23 --d----- C:\ComboFix
2009-02-06 20:12 --d----- c:\docume~1\angiem~1\applic~1\Malwarebytes
2009-02-06 18:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-06 18:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-17 16:16 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-16 22:22 --d-h--- C:\$AVG8.VAULT$
2009-01-16 22:10 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 22:10 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-16 22:10 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-16 22:10 --d----- c:\windows\system32\drivers\Avg
2009-01-16 22:10 --d----- c:\docume~1\angiem~1\applic~1\AVGTOOLBAR
2009-01-16 22:00 --d----- c:\program files\AVG
2009-01-16 22:00 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-16 21:51 26,368 a------- c:\windows\system32\dllcache\usbstor.sys

==================== Find3M ====================

2009-01-15 21:17 0 a------- c:\program files\chrome.manifest
2009-01-15 21:13 1,690,112 a------- c:\program files\rlvknlg.exe
2009-01-15 21:13 372,736 a------- c:\program files\osmim.dll
2009-01-15 21:13 217,088 a------- c:\program files\dompilot.dll
2009-01-15 21:13 45,056 a------- c:\program files\OSSService.exe
2009-01-15 21:13 649 a------- c:\program files\install.rdf
2009-01-15 21:13 708,608 a------- c:\program files\osspdf.dll
2009-01-15 21:08 1,648,678 a--sh--- c:\windows\system32\QpsDLkkj.ini2
2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-08-29 19:37 164 a------- c:\docume~1\angiem~1\applic~1\wklnhst.dat
2008-08-22 14:46 61,224 a------- c:\documents and settings\angie martain\GoToAssistDownloadHelper.exe

============= FINISH: 14:45:11.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:07 AM

Posted 24 February 2009 - 01:16 PM

Hello Bdmerz and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 bdmerz

bdmerz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:07:07 PM

Posted 24 February 2009 - 09:25 PM

combofix alerted me that one of my anti-virus programs (Avira) is still active, even though i manually closed avira and disabled startup. is there something that i can do to deactivate or should i uninstall it?

thank you for your help. :thumbup2:

here is the goored log:

GooredFix v1.91 by jpshortstuff
Log created at 20:35 on 24/02/2009 running Option #2 (angie martain)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{6E19037A-12E3-4295-8915-ED48BC341614}"="C:\Program Files\"

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:07 AM

Posted 25 February 2009 - 04:35 AM

Hello Bdmerz,

I see Avira (good choice), AVG 8 and traces of Symantec.
It's not recommended to have more than 1 antivirus program running actively !!

Please uninstall (Control Panel > Software) : AVG Free 8.0
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Norton Security Scan
Norton Security Scan (Symantec Corporation)
SearchAssist
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Reboot your system, disable Avira Antivir Guard :

Please check the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks like this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks like this: Posted Image )
Now you can run ComboFix, even if it indicates Avira is still active. :thumbup2:

Greetings,
Thunder

Edited by Thunder, 25 February 2009 - 04:35 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 bdmerz

bdmerz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:07:07 PM

Posted 26 February 2009 - 01:29 PM

i had trouble uninstalling avg, but i was able to disable it. i could not install the recovery console because the internet has not been working right.

Thanks, here it is:

ComboFix 09-02-24.02 - angie martain 2009-02-26 12:59:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.228 [GMT -5:00]
Running from: c:\documents and settings\angie martain\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\bndmrubk.ini
c:\windows\system32\ewwtxbdc.ini
c:\windows\system32\jndiceqr.ini
c:\windows\system32\joposfwv.ini
c:\windows\system32\nnwmwdep.ini
c:\windows\system32\pdkwylqc.ini
c:\windows\system32\QpsDLkkj.ini
c:\windows\system32\QpsDLkkj.ini2
c:\windows\system32\sodmkutg.ini
c:\windows\system32\yvsycbhm.ini
c:\windows\Tasks\kmfnibok.job
c:\windows\Tasks\mshejxux.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-14 20:50 . 2009-02-14 20:50 <DIR> d-------- c:\documents and settings\angie martain\DoctorWeb
2009-02-14 09:53 . 2009-02-14 09:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-13 20:07 . 2009-02-13 20:34 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-02-12 19:43 . 2009-02-12 19:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-12 19:43 . 2009-02-12 19:43 <DIR> d-------- c:\documents and settings\angie martain\Application Data\SUPERAntiSpyware.com
2009-02-12 19:43 . 2009-02-12 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-10 07:01 . 2009-02-10 07:01 <DIR> d-------- c:\program files\Avira
2009-02-10 07:01 . 2009-02-10 07:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-09 21:39 . 2009-02-12 19:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-09 17:56 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 17:56 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-07 01:43 . 2009-02-07 01:43 <DIR> d-------- c:\windows\Cache
2009-02-06 20:28 . 2009-02-06 20:28 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 20:12 . 2009-02-06 20:12 <DIR> d-------- c:\documents and settings\angie martain\Application Data\Malwarebytes
2009-02-06 19:01 . 2009-02-06 19:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-06 18:53 . 2009-02-09 18:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 18:53 . 2009-02-06 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 17:57 --------- d-----w c:\documents and settings\angie martain\Application Data\U3
2009-02-26 17:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 17:25 --------- d-----w c:\documents and settings\angie martain\Application Data\Symantec
2009-02-26 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-26 17:22 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-25 02:00 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2009-02-25 01:29 --------- d-----w c:\program files\Dl_cats
2009-02-12 02:20 --------- d-----w c:\program files\Common Files\Adobe
2009-02-07 05:57 --------- d-----w c:\program files\WildTangent
2009-02-07 05:52 --------- d-----w c:\program files\Jasc Software Inc
2009-02-07 05:52 --------- d-----w c:\documents and settings\angie martain\Application Data\Jasc Software Inc
2009-02-07 05:46 --------- d-----w c:\program files\Google
2009-02-07 05:44 --------- d-----w c:\program files\Dell
2009-02-07 05:43 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-07 05:43 --------- d-----w c:\program files\AVSMedia
2009-02-07 05:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-25 08:15 --------- d-----w c:\documents and settings\angie martain\Application Data\AVGTOOLBAR
2009-01-22 20:21 --------- d-----w c:\documents and settings\james moody\Application Data\Webshots
2009-01-18 06:42 --------- d-----w c:\documents and settings\james moody\Application Data\AVGTOOLBAR
2009-01-18 00:13 --------- d-----w c:\program files\Yahoo!
2009-01-17 20:00 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-01-17 03:10 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-17 03:10 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-17 03:00 --------- d-----w c:\program files\AVG
2009-01-17 00:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 20:14 --------- d-----w c:\documents and settings\james moody\Application Data\Smart-Shopper
2009-01-16 03:00 --------- d-----w c:\documents and settings\james moody\Application Data\Viewpoint
2009-01-16 02:17 0 ----a-w c:\program files\chrome.manifest
2009-01-16 02:13 708,608 ----a-w c:\program files\osspdf.dll
2009-01-16 02:13 649 ----a-w c:\program files\install.rdf
2009-01-16 02:13 45,056 ----a-w c:\program files\OSSService.exe
2009-01-16 02:13 372,736 ----a-w c:\program files\osmim.dll
2009-01-16 02:13 217,088 ----a-w c:\program files\dompilot.dll
2009-01-16 02:13 1,690,112 ----a-w c:\program files\rlvknlg.exe
2009-01-16 02:13 --------- d-----w c:\program files\components
2009-01-16 01:34 --------- d-----w c:\program files\Picasa2
2009-01-15 20:39 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-01-12 07:01 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Smart-Shopper
2008-08-30 00:37 164 ----a-w c:\documents and settings\angie martain\Application Data\wklnhst.dat
2008-08-22 19:46 61,224 ----a-w c:\documents and settings\angie martain\GoToAssistDownloadHelper.exe
2008-04-26 00:17 164 ----a-w c:\documents and settings\james moody\Application Data\wklnhst.dat
2007-10-23 02:43 60,968 ----a-w c:\documents and settings\james moody\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1261336]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]

c:\documents and settings\angie martain\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-10-14 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^angie martain^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\angie martain\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-06-12 13:28 266497 c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 05:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcgmon.exe]
--a------ 2005-10-21 10:42 425984 c:\program files\Dell AIO 810\DLCGmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-04-05 19:19 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-04-05 19:22 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-04-05 19:23 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-24 18:36 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-16 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-16 76040]
R2 DLCGCustomerConnect;DLCGCustomerConnect;c:\windows\system32\spool\drivers\w32x86\3\dlcgserv.exe [2005-09-08 57344]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D716DTB1-james moody).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{89E9964C-A342-47A4-8061-37DC19CED2D5} - (no file)
Notify-yayxWpnK - yayxWpnK.dll
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
MSConfigStartUp-osCheck - c:\program files\Norton 360\osCheck.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRfox000&fl=0&ptb=7ZNLGBxDSmEdWg65uChw3Q&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\angie martain\Application Data\Mozilla\Firefox\Profiles\14npdc58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11088&client_id=713448afa54a78889c0bec78&camp_id=-1&install_time=2008-12-07T00:32:28Z&tb_version=2.0.0%28F%29pr=auto&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 13:06:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgemc.exe
.
**************************************************************************
.
Completion time: 2009-02-26 13:10:01 - machine was rebooted [angie martain]
ComboFix-quarantined-files.txt 2009-02-26 18:09:53

Pre-Run: 104,671,895,552 bytes free
Post-Run: 104,586,522,624 bytes free

238 --- E O F --- 2009-01-17 01:25:03

Attached Files

  • Attached File  log.txt   16.45KB   18 downloads


#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:07 AM

Posted 26 February 2009 - 01:58 PM

Hello Bdmerz,

Please download and run this AVG Remover.

Then, let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\program files\chrome.manifest
c:\program files\osspdf.dll
c:\program files\install.rdf
c:\program files\OSSService.exe
c:\program files\osmim.dll
c:\program files\dompilot.dll
c:\program files\rlvknlg.exe
Folder::
c:\program files\components

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply.

If you you still don't have an internet connection, try running Winsockfix.

Download and Run WinsockFix
  • Download WinsockXPFix and save it to your desktop.
  • Double Click on Posted Image on your desktop.
  • Push the Posted Image button.
  • Allow your system to reboot afterwards.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 bdmerz

bdmerz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:07:07 PM

Posted 27 February 2009 - 06:07 PM

i ran winsockfix, i think that the problem is with my modem now. this computer i am working on was having trouble at it's home, it was diverted to a false avg homepage and other web pages would not open at all, but ebay was still allowed to load. it is running win xp and has a different modem than the one i have. i tried to get the driver for the modem last night after i ran the winsockfix, but the driver for the model seems to be available only for windows vista, so i thought that maybe this modem only works with vista... or something.

thank you, have a good day
d

here is the new combofix log:

ComboFix 09-02-24.02 - angie martain 2009-02-26 18:23:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.286 [GMT -5:00]
Running from: c:\documents and settings\angie martain\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\angie martain\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\program files\chrome.manifest
c:\program files\dompilot.dll
c:\program files\install.rdf
c:\program files\osmim.dll
c:\program files\osspdf.dll
c:\program files\OSSService.exe
c:\program files\rlvknlg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\chrome.manifest
c:\program files\components
c:\program files\components\dompilot3.dll
c:\program files\dompilot.dll
c:\program files\install.rdf
c:\program files\osmim.dll
c:\program files\osspdf.dll
c:\program files\OSSService.exe
c:\program files\rlvknlg.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-14 20:50 . 2009-02-14 20:50 <DIR> d-------- c:\documents and settings\angie martain\DoctorWeb
2009-02-14 09:53 . 2009-02-14 09:53 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-02-13 20:07 . 2009-02-13 20:34 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-02-12 19:43 . 2009-02-12 19:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-12 19:43 . 2009-02-12 19:43 <DIR> d-------- c:\documents and settings\angie martain\Application Data\SUPERAntiSpyware.com
2009-02-12 19:43 . 2009-02-12 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-10 07:01 . 2009-02-10 07:01 <DIR> d-------- c:\program files\Avira
2009-02-10 07:01 . 2009-02-10 07:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-02-09 21:39 . 2009-02-12 19:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-09 17:56 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 17:56 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-07 01:43 . 2009-02-07 01:43 <DIR> d-------- c:\windows\Cache
2009-02-06 20:28 . 2009-02-06 20:28 <DIR> d-------- c:\program files\Trend Micro
2009-02-06 20:12 . 2009-02-06 20:12 <DIR> d-------- c:\documents and settings\angie martain\Application Data\Malwarebytes
2009-02-06 19:01 . 2009-02-06 19:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-06 18:53 . 2009-02-09 18:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 18:53 . 2009-02-06 18:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 22:52 --------- d-----w c:\documents and settings\angie martain\Application Data\AVGTOOLBAR
2009-02-26 17:57 --------- d-----w c:\documents and settings\angie martain\Application Data\U3
2009-02-26 17:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 17:25 --------- d-----w c:\documents and settings\angie martain\Application Data\Symantec
2009-02-26 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-25 02:00 --------- d-----w c:\documents and settings\Administrator\Application Data\U3
2009-02-25 01:29 --------- d-----w c:\program files\Dl_cats
2009-02-12 02:20 --------- d-----w c:\program files\Common Files\Adobe
2009-02-07 05:57 --------- d-----w c:\program files\WildTangent
2009-02-07 05:52 --------- d-----w c:\program files\Jasc Software Inc
2009-02-07 05:52 --------- d-----w c:\documents and settings\angie martain\Application Data\Jasc Software Inc
2009-02-07 05:46 --------- d-----w c:\program files\Google
2009-02-07 05:44 --------- d-----w c:\program files\Dell
2009-02-07 05:43 --------- d-----w c:\program files\Common Files\AVSMedia
2009-02-07 05:43 --------- d-----w c:\program files\AVSMedia
2009-02-07 05:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 05:39 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-22 20:21 --------- d-----w c:\documents and settings\james moody\Application Data\Webshots
2009-01-18 06:42 --------- d-----w c:\documents and settings\james moody\Application Data\AVGTOOLBAR
2009-01-18 00:13 --------- d-----w c:\program files\Yahoo!
2009-01-17 20:00 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2009-01-17 03:00 --------- d-----w c:\program files\AVG
2009-01-17 00:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-16 20:14 --------- d-----w c:\documents and settings\james moody\Application Data\Smart-Shopper
2009-01-16 03:00 --------- d-----w c:\documents and settings\james moody\Application Data\Viewpoint
2009-01-16 01:34 --------- d-----w c:\program files\Picasa2
2009-01-15 20:39 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-01-12 07:01 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\Smart-Shopper
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-08-30 00:37 164 ----a-w c:\documents and settings\angie martain\Application Data\wklnhst.dat
2008-08-22 19:46 61,224 ----a-w c:\documents and settings\angie martain\GoToAssistDownloadHelper.exe
2008-04-26 00:17 164 ----a-w c:\documents and settings\james moody\Application Data\wklnhst.dat
2007-10-23 02:43 60,968 ----a-w c:\documents and settings\james moody\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-26_13.08.41.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-26 22:52:59 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DLCGCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll" [2005-09-08 73728]

c:\documents and settings\angie martain\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2006-10-14 45056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^angie martain^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\angie martain\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
--a------ 2008-06-12 13:28 266497 c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 05:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlcgmon.exe]
--a------ 2005-10-21 10:42 425984 c:\program files\Dell AIO 810\DLCGmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-04-05 19:19 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-04-05 19:22 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-04-05 19:23 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-24 18:36 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 DLCGCustomerConnect;DLCGCustomerConnect;c:\windows\system32\spool\drivers\w32x86\3\dlcgserv.exe [2005-09-08 57344]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D716DTB1-james moody).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRfox000&fl=0&ptb=7ZNLGBxDSmEdWg65uChw3Q&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\angie martain\Application Data\Mozilla\Firefox\Profiles\14npdc58.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=11088&client_id=713448afa54a78889c0bec78&camp_id=-1&install_time=2008-12-07T00:32:28Z&tb_version=2.0.0%28F%29pr=auto&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 18:25:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCGCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-26 18:27:32
ComboFix-quarantined-files.txt 2009-02-26 23:27:27
ComboFix2.txt 2009-02-26 18:10:05

Pre-Run: 104,772,161,536 bytes free
Post-Run: 104,755,367,936 bytes free

201 --- E O F --- 2009-01-17 01:25:03

Attached Files

  • Attached File  log2.txt   13.89KB   0 downloads


#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:07 AM

Posted 03 March 2009 - 04:57 PM

Hello Bdmerz,

Did the Dr. Web scan turn anything up ?

This log looks fine. :thumbup2:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Do you have a known working internet connection at your disposal to test this system on ?

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 bdmerz

bdmerz
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:07:07 PM

Posted 03 March 2009 - 06:36 PM

the dr web scan did remove some objects, but i closed the program before saving the log file.

i have removed combofix.

i now have the modem that goes with the computer and the internet seems to work fine. i updated windows and avira successfully.

i have removed viewpoint long ago, do you think that there is something of it left? is there something that need to do?

how will i know if the computer is not fully healed?

thank you thank you thank you. :thumbup2:
good day
d

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:02:07 AM

Posted 04 March 2009 - 05:09 PM

Hello Bdmerz,

If you no longer have any problems,

and a scan with a fully updated Avira turns up clean,
then your system is very likely good to go again. :thumbup2:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users