Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware has disabled AVG and Spybot


  • Please log in to reply
13 replies to this topic

#1 Flabby

Flabby

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 May 2009 - 05:38 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 16:31:58.85 on Fri 05/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.456 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: EyeOnIE Class: {316aef8d-3c37-423e-9e6e-13820a9dc37a} - c:\progra~1\pcsecu~1\theshi~1\IrlOnIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [dwStart] c:\program files\pcsecurityshield\the shield firewall\FireWall.exe
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RCAutoLiveUpdate] c:\program files\max registry cleaner\MaxLURC.exe -AUTO
mRun: [RCSystemTray] c:\program files\max registry cleaner\MaxRCSystemTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://tjcamera.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211940194843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5378/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: NameServer = 85.255.112.132,85.255.112.188
TCP: {631D105D-647A-4567-8161-7C1CF0EAE9AF} = 208.67.220.220,208.67.222.222
TCP: {92FF6AFA-2902-483B-B872-17AE3D23F8C2} = 208.67.220.220,208.67.222.222
TCP: {A3F4C798-7444-4937-9426-85582A9C77A5} = 208.67.220.220,208.67.222.222
TCP: {CC607281-709D-4EBB-837C-A2F5C7A82368} = 208.67.220.220,208.67.222.222
TCP: {D6818A31-9200-46F5-A0FB-F128CC42ACAC} = 85.255.112.132,85.255.112.188
TCP: {F2179EA8-4045-4417-B078-64C60543AEC1} = 208.67.220.220,208.67.222.222
TCP: {FAB997C1-5BF9-4DA8-91D9-3288ED125C78} = 208.67.220.220,208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0h5i3v8g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
FF - plugin: c:\program files\download manager\npfpdlm.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-6 107272]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-1-1 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-6 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-6 298264]
R3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
R3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2005-7-7 3968]
S0 si3114;si3114;c:\windows\system32\drivers\si3114.sys [2005-2-28 54872]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2006-7-2 96256]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [2008-2-18 138528]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2006-9-16 47360]

=============== Created Last 30 ================

2009-05-01 15:27 324 ---shr-- C:\autorun.inf
2009-04-23 17:11 7,462 a------- c:\windows\PiView.sav
2009-04-23 17:09 1,136 a----r-- c:\windows\SAMPLE1.LDA
2009-04-23 17:09 20,389 a----r-- c:\windows\PiView.pal
2009-04-23 17:09 182 a----r-- c:\windows\PiView.win
2009-04-23 17:09 48 a----r-- c:\windows\PiView.bar
2009-04-23 17:09 4 a----r-- c:\windows\PiView.zom
2009-04-23 17:08 924,432 a----r-- c:\windows\mfc40.dll
2009-04-23 17:08 329,728 a----r-- c:\windows\Tab32x20.ocx
2009-04-15 08:38 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 08:38 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 08:38 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 08:38 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 08:38 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 08:38 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 08:38 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 08:38 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 08:38 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 08:37 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 08:37 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-11 10:45 <DIR> --dshr-- C:\cmdcons
2009-04-11 10:45 <DIR> --d----- c:\windows\setup.pss
2009-04-11 10:45 <DIR> --d----- c:\windows\setupupd
2009-04-03 21:03 129 a------- c:\windows\JCMkr32.INI

==================== Find3M ====================

2009-04-15 18:56 27,688 ac------ c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 12:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 13:59 56,832 a------- c:\windows\system32\secur32.dll
2007-12-04 20:30 9,728 ac-sh--- c:\program files\Thumbs.db
2006-07-20 16:07 18,801 ac------ c:\program files\IE70BlockerHelp.htm
2006-05-08 18:07 28,142 ac------ c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 17:13 3,730 ac------ c:\program files\IE70Blocker.adm
2006-05-08 17:13 1,809 ac------ c:\program files\IE70Blocker.cmd
2008-05-27 20:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat
2008-05-27 20:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
2008-12-31 12:26 16,384 ac-sh--- c:\windows\temp\cookies\index.dat
2008-12-31 12:26 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2008-12-31 12:26 49,152 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:32:23.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 03 May 2009 - 04:56 PM

After running Ad-Aware, it says I'm infected with Win32 Trojan Alureon
Ad-Aware says it removed it, but IE is still being hijacked

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 16 May 2009 - 08:09 AM

Hello Flabby,

If your issues have been resolved, or if you are getting help elsewhere, please let us know.
Otherwise, do the following

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Next, Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Spybot's Tea Timer will block updates to the registry, and thus hamper the full removal of malware. You must disable it while cleaning.

Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
=

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


=
Next, start a new DDS run

Reply with copies of the MBAM log
and the DDS reports DDS.txt + Attach.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll may at some point have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 16 May 2009 - 12:47 PM

Malwarebytes' Anti-Malware 1.11
Database version: 689

Scan type: Quick Scan
Objects scanned: 34869
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Sammsoft (Rogue.Advanced.Registry.Optimizer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system\SYSRegC.dll (Trojan.Agent) -> Quarantined and deleted successfully.
********************************************************************************
DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 11:42:29.98 on Sat 05/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.386 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\User\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [dwStart] c:\program files\pcsecurityshield\the shield firewall\FireWall.exe
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RCAutoLiveUpdate] c:\program files\max registry cleaner\MaxLURC.exe -AUTO
mRun: [RCSystemTray] c:\program files\max registry cleaner\MaxRCSystemTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\user\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://tjcamera.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211940194843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5378/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: {631D105D-647A-4567-8161-7C1CF0EAE9AF} = 208.67.220.220,208.67.222.222
TCP: {92FF6AFA-2902-483B-B872-17AE3D23F8C2} = 208.67.220.220,208.67.222.222
TCP: {A3F4C798-7444-4937-9426-85582A9C77A5} = 208.67.220.220,208.67.222.222
TCP: {CC607281-709D-4EBB-837C-A2F5C7A82368} = 208.67.220.220,208.67.222.222
TCP: {F2179EA8-4045-4417-B078-64C60543AEC1} = 208.67.220.220,208.67.222.222
TCP: {FAB997C1-5BF9-4DA8-91D9-3288ED125C78} = 208.67.220.220,208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0h5i3v8g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
FF - plugin: c:\program files\download manager\npfpdlm.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-6 107272]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-1-1 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-6 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-6 298264]
S0 si3114;si3114;c:\windows\system32\drivers\si3114.sys [2005-2-28 54872]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2006-7-2 96256]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2005-7-7 3968]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [2008-2-18 138528]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2006-9-16 47360]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-15 20:39 161,792 a------- c:\windows\SWREG.exe
2009-05-15 20:39 98,816 a------- c:\windows\sed.exe
2009-05-15 20:39 <DIR> --d----- C:\ComboFix
2009-05-05 11:47 26 a------- c:\windows\Zone.Identifier
2009-05-02 14:34 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-05-02 14:33 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-05-02 14:32 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-05-02 14:30 <DIR> --d----- c:\windows\ie8updates
2009-05-02 14:29 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-02 14:29 <DIR> -cd-h--- c:\windows\ie8
2009-04-23 17:11 7,462 a------- c:\windows\PiView.sav
2009-04-23 17:09 1,136 a----r-- c:\windows\SAMPLE1.LDA
2009-04-23 17:09 20,389 a----r-- c:\windows\PiView.pal
2009-04-23 17:09 182 a----r-- c:\windows\PiView.win
2009-04-23 17:09 48 a----r-- c:\windows\PiView.bar
2009-04-23 17:09 4 a----r-- c:\windows\PiView.zom
2009-04-23 17:08 924,432 a----r-- c:\windows\mfc40.dll
2009-04-23 17:08 329,728 a----r-- c:\windows\Tab32x20.ocx

==================== Find3M ====================

2009-04-15 18:56 27,688 ac------ c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2007-12-04 20:30 9,728 ac-sh--- c:\program files\Thumbs.db
2006-07-20 16:07 18,801 ac------ c:\program files\IE70BlockerHelp.htm
2006-05-08 18:07 28,142 ac------ c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 17:13 3,730 ac------ c:\program files\IE70Blocker.adm
2006-05-08 17:13 1,809 ac------ c:\program files\IE70Blocker.cmd
2008-05-27 20:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat
2008-05-27 20:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 11:43:06.01 ===============

Attached Files



#5 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 16 May 2009 - 12:52 PM

First, disable Spybot's Tea Timer and keep it so while we try to remove malwares !!
Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
=

This has an extremely old & ancient version of MBAM. You have to first, de-install (remove) MBAM using Add-or-Remove Programs from Control Panel.
Then, download the current version:

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Edited by Maurice Naggar, 16 May 2009 - 12:57 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#6 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 16 May 2009 - 04:38 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 3

5/16/2009 3:35:24 PM
mbam-log-2009-05-16 (15-35-24).txt

Scan type: Quick Scan
Objects scanned: 85043
Time elapsed: 4 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c3e15dfe-d990-4c3f-9be2-4cf4e3e007ce} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
*******
DDS (Ver_09-05-14.01) - NTFSx86
Run by User at 15:36:23.56 on Sat 05/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.330 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\User\My Documents\My Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [dwStart] c:\program files\pcsecurityshield\the shield firewall\FireWall.exe
mRun: [nwiz] nwiz.exe /install
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RCAutoLiveUpdate] c:\program files\max registry cleaner\MaxLURC.exe -AUTO
mRun: [RCSystemTray] c:\program files\max registry cleaner\MaxRCSystemTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\user\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/Oneclickfix/tgctlsr.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://tjcamera.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211940194843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5378/mcfscan.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
TCP: {631D105D-647A-4567-8161-7C1CF0EAE9AF} = 208.67.220.220,208.67.222.222
TCP: {92FF6AFA-2902-483B-B872-17AE3D23F8C2} = 208.67.220.220,208.67.222.222
TCP: {A3F4C798-7444-4937-9426-85582A9C77A5} = 208.67.220.220,208.67.222.222
TCP: {CC607281-709D-4EBB-837C-A2F5C7A82368} = 208.67.220.220,208.67.222.222
TCP: {F2179EA8-4045-4417-B078-64C60543AEC1} = 208.67.220.220,208.67.222.222
TCP: {FAB997C1-5BF9-4DA8-91D9-3288ED125C78} = 208.67.220.220,208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\0h5i3v8g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
FF - plugin: c:\program files\download manager\npfpdlm.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-6 107272]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2005-1-1 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-6 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-6 298264]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-16 38496]
S0 si3114;si3114;c:\windows\system32\drivers\si3114.sys [2005-2-28 54872]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2006-7-2 96256]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2005-7-7 3968]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [2008-2-18 138528]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2006-9-16 47360]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-16 15:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-16 15:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 15:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-15 20:39 161,792 a------- c:\windows\SWREG.exe
2009-05-15 20:39 98,816 a------- c:\windows\sed.exe
2009-05-15 20:39 <DIR> --d----- C:\ComboFix
2009-05-05 11:47 26 a------- c:\windows\Zone.Identifier
2009-05-02 14:34 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-05-02 14:33 <DIR> --dsh--- c:\documents and settings\user\PrivacIE
2009-05-02 14:32 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-05-02 14:30 <DIR> --d----- c:\windows\ie8updates
2009-05-02 14:29 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-02 14:29 <DIR> -cd-h--- c:\windows\ie8
2009-04-23 17:11 7,462 a------- c:\windows\PiView.sav
2009-04-23 17:09 1,136 a----r-- c:\windows\SAMPLE1.LDA
2009-04-23 17:09 20,389 a----r-- c:\windows\PiView.pal
2009-04-23 17:09 182 a----r-- c:\windows\PiView.win
2009-04-23 17:09 48 a----r-- c:\windows\PiView.bar
2009-04-23 17:09 4 a----r-- c:\windows\PiView.zom
2009-04-23 17:08 924,432 a----r-- c:\windows\mfc40.dll
2009-04-23 17:08 329,728 a----r-- c:\windows\Tab32x20.ocx

==================== Find3M ====================

2009-04-15 18:56 27,688 ac------ c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2007-12-04 20:30 9,728 ac-sh--- c:\program files\Thumbs.db
2006-07-20 16:07 18,801 ac------ c:\program files\IE70BlockerHelp.htm
2006-05-08 18:07 28,142 ac------ c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 17:13 3,730 ac------ c:\program files\IE70Blocker.adm
2006-05-08 17:13 1,809 ac------ c:\program files\IE70Blocker.cmd
2008-05-27 20:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat
2008-05-27 20:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 15:37:01.29 ===============

Attached Files



#7 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 16 May 2009 - 05:51 PM

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a casual viewer, do NOT try this on your system!
If you are not Flabby and have a similar problem, do NOT post here; start your own topic[/color]

Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
=

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Drivers to delete:
    gxvxcserv
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=

Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Reply with copies of the C:\Avenger.txt
and RootRepeal file scan log
and Sysclean.log
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#8 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 16 May 2009 - 07:12 PM

I am posting the Avenger text below, however, I cannot get root reply to run properly after 3 attempts. It says "Initializing, please wait" for 15 minutes each time and does not respond. I re-downloaded it, extracted it to C:\ROOT REPLY directory that I created without success. I rebooted after each attempt. Not sure what to do next...


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

< edited for brevity ~ removed lines on items not found ~ Maurice >

Folder "C:\recycler" deleted successfully.


Completed script processing.

*******************

Finished! Terminate.

Edited by Maurice Naggar, 17 May 2009 - 03:49 AM.


#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 17 May 2009 - 03:50 AM

We won't need Root Repeal. So delete that download and the ROOT REPLY folder you created.

Q: Are you getting help elsewhere at another forum ??
Your logs show Combofix creation / usage on May 15 th !!
Posted Image If you -are- being helped elsewhere, let's halt & sort this out. We do not want conflicts .

If you are not being helped, but used the tool on your own, STOP such self-medication Posted Image

Now, make sure your proceed to get & run SYSCLEAN as per my preceding reply.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri) :hand: Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.416 as of this post).
Extract the contents of the exe file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected :twisted:
=

Reply with copies of the Sysclean log
the C:\Combofix.txt
the C:\rapport.txt
and tell me, How is your system now ?
Have the popups stopped ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 17 May 2009 - 06:23 AM

Posting Sysclean log and will proceed with your instructions for Combo-Fix.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-16, 21:20:03, Auto-clean mode specified.
2009-05-16, 21:20:03, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-16, 21:20:03, Running scanner "C:\DCE\TSC.BIN"...
2009-05-16, 21:20:21, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-05-16, 21:20:21, TSC Log:

’žD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S a t M a y 1 6 2 0 0 9 2 1 : 2 0 : 0 7





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 3 4 ) [ s u c c e s s ]





C o m p l e t e t i m e : S a t M a y 1 6 2 0 0 9 2 1 : 2 0 : 2 1


E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-05-16, 21:20:21, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-05-16, 21:27:10, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-05-16, 21:27:10, VSCANTM Log:

2009-05-16, 21:27:10, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 21:20:21
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.133

2009-05-16, 21:27:10, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 21:20:21
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.133

2009-05-16, 21:27:10, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 21:20:21
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.133

2009-05-16, 21:27:10, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-16, 22:30:47, Auto-clean mode specified.
2009-05-16, 22:30:48, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-16, 22:30:48, Running scanner "C:\DCE\TSC.BIN"...
2009-05-16, 22:30:59, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-05-16, 22:30:59, TSC Log:

’žD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : S a t M a y 1 6 2 0 0 9 2 2 : 3 0 : 5 0





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 3 4 ) [ s u c c e s s ]





C o m p l e t e t i m e : S a t M a y 1 6 2 0 0 9 2 2 : 3 0 : 5 9


E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-05-16, 22:30:59, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-05-16, 23:31:08, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-05-16, 23:31:08, VSCANTM Log:

2009-05-16, 23:31:08, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 22:31:00
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.133

C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\61\1d36a3bd-2cb26ee6 [JAVA_GIMSH.A]
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\62\70a93cfe-4480d859 [JAVA_GIMSH.A]
105334 files have been read.
105334 files have been checked.
105309 files have been scanned.
188967 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 23:31:08 1 hour 8 seconds (3607.83 seconds) has elapsed.(34.251 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 23:31:08, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 22:31:00
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.133

105334 files have been read.
105334 files have been checked.
105309 files have been scanned.
188967 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 23:31:08 1 hour 8 seconds (3607.83 seconds) has elapsed.(34.251 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 23:31:08, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/16/2009 22:31:00
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 133 (398052/398052 Patterns) (2009/05/15) (613300)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\DCE\lpt$vpn.133

105334 files have been read.
105334 files have been checked.
105309 files have been scanned.
188967 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/16/2009 23:31:08 1 hour 8 seconds (3607.83 seconds) has elapsed.(34.251 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-16, 23:31:08, Running SSAPI scanner ""...
2009-05-17, 00:02:21, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.67
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/16/2009 23:31:12


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:user@ad.yieldmanager.com/,C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:user@ad.yieldmanager.com/,C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:user@com.com/,C:\Documents and Settings\User\Cookies\user@com[1].txt
[CLEAN SUCCESS][Cookie_RealMedia] Internet Explorer Cache\realmedia.com,Cookie:user@realmedia.com/,C:\Documents and Settings\User\Cookies\user@realmedia[1].txt
[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:user@revsci.net/,C:\Documents and Settings\User\Cookies\user@revsci[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user@server.iad.liveperson.net/,C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[2].txt
[CLEAN SUCCESS][Cookie_LivePerson] Internet Explorer Cache\server.iad.liveperson.net,Cookie:user@server.iad.liveperson.net/hc/19452074,C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[3].txt
[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:user@specificclick.net/,C:\Documents and Settings\User\Cookies\user@specificclick[1].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:user@trafficmp.com/,C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:user@tribalfusion.com/,C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:user@tribalfusion.com/,C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt
[CLEAN SUCCESS][Adware_WhenU] S-1-5-21-1757981266-1060284298-725345543-1004\Software\Auralis\Wsst Screen Savers\
[CLEAN SUCCESS][Adware_MemWatcher] \127.0.0.1,www.addictivetechnologies.com
Detected: 13 items.
Cleaned Success: 13 items.
Clean Failed: 0 items.

Spyware Scan Ended: 05/17/2009 00:02:21
Scan Complete. Time=1872.359497.

#11 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 17 May 2009 - 07:02 AM

ComboFix 09-05-16.05 - User 05/17/2009 5:31.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.487 [GMT -6:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 03:08 . 2009-05-17 11:09 -------- d-----w C:\DCE
2009-05-16 23:06 . 2009-05-16 23:06 0 ----a-w c:\documents and settings\User\settings.dat
2009-05-16 22:57 . 2009-05-16 22:57 0 ----a-w C:\backup.reg
2009-05-16 22:57 . 2009-05-16 22:57 574 ----a-w C:\cleanup.bat
2009-05-16 22:57 . 2009-05-16 22:57 19286 ----a-w C:\cleanup.exe
2009-05-16 22:57 . 2009-05-16 22:57 135168 ----a-w C:\zip.exe
2009-05-16 21:30 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-16 21:30 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 21:30 . 2009-05-16 21:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 21:50 . 2009-05-03 22:02 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 20:34 . 2009-05-02 20:34 -------- d-sh--w c:\documents and settings\User\IECompatCache
2009-05-02 20:33 . 2009-05-02 20:33 -------- d-sh--w c:\documents and settings\User\PrivacIE
2009-05-02 20:32 . 2009-05-02 20:32 -------- d-sh--w c:\documents and settings\User\IETldCache
2009-05-02 20:32 . 2009-05-02 20:32 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-02 20:30 . 2009-05-02 20:30 -------- d-----w c:\windows\ie8updates
2009-05-02 20:29 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-02 20:29 . 2009-05-02 20:29 -------- dc-h--w c:\windows\ie8
2009-04-23 23:08 . 2009-04-23 18:32 924432 ----a-r c:\windows\mfc40.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 03:11 . 2008-01-19 16:48 -------- d-----w c:\program files\Lavasoft
2009-05-03 21:20 . 2008-09-06 19:49 -------- d-----w c:\program files\Max Registry Cleaner
2009-05-02 20:49 . 2008-02-18 19:16 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-01 22:04 . 2006-03-03 03:46 27688 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-16 01:15 . 2005-07-09 00:10 -------- d-----w c:\program files\HyperLobbyPro3
2009-04-16 00:56 . 2007-02-02 23:16 27688 -c--a-w c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2009-04-04 02:49 . 2005-07-22 03:48 -------- d-----w c:\program files\Java
2009-03-31 01:54 . 2009-02-01 04:08 -------- d-----w c:\program files\iTunes
2009-03-29 23:08 . 2009-03-29 23:08 -------- d-----w c:\program files\iPod
2009-03-29 23:08 . 2007-07-08 23:08 -------- d-----w c:\program files\Common Files\Apple
2009-03-29 23:07 . 2009-03-29 23:07 -------- d-----w c:\program files\Bonjour
2009-03-14 00:07 . 2005-07-08 00:06 27688 -c--a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-09 11:19 . 2008-04-22 00:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 10:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2007-12-05 02:30 . 2007-12-05 02:30 9728 -csha-w c:\program files\Thumbs.db
2006-07-20 22:07 . 2006-07-20 22:07 18801 -c--a-w c:\program files\IE70BlockerHelp.htm
2006-05-09 00:07 . 2006-05-09 00:07 28142 -c--a-w c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
2006-05-08 23:13 . 2006-05-08 23:13 3730 -c--a-w c:\program files\IE70Blocker.adm
2006-05-08 23:13 . 2006-05-08 23:13 1809 -c--a-w c:\program files\IE70Blocker.cmd
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 21:20 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-18 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dwStart"="c:\program files\PCSecurityShield\The Shield Firewall\FireWall.exe" [2004-08-05 405504]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-28 1601304]
"RCSystemTray"="c:\program files\Max Registry Cleaner\MaxRCSystemTray.exe" [2009-02-23 925568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-02-28 921600]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

c:\documents and settings\User\Start Menu\Programs\Startup\
Webshots.lnk - c:\program files\Webshots\Launcher.exe [2005-7-29 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2006-10-1 229376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-28 03:10 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE
"SideWinderTrayV4"=c:\progra~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
"WinampAgent"=c:\program files\Winamp\winampa.exe
"UpdReg"=c:\windows\UpdReg.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/6/2008 1:39 PM 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/6/2008 1:39 PM 107272]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [1/1/2005 1:44 AM 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/6/2008 1:39 PM 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/6/2008 1:39 PM 298264]
S0 si3114;si3114;c:\windows\system32\drivers\si3114.sys [2/28/2005 6:00 AM 54872]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [5/19/2004 11:53 PM 142169]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/2/2006 8:38 PM 96256]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [7/7/2005 9:34 PM 3968]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [2/18/2008 6:01 PM 138528]
S3 usbdpfp;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [9/16/2006 5:23 PM 47360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.excite.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: {631D105D-647A-4567-8161-7C1CF0EAE9AF} = 208.67.220.220,208.67.222.222
TCP: {92FF6AFA-2902-483B-B872-17AE3D23F8C2} = 208.67.220.220,208.67.222.222
TCP: {A3F4C798-7444-4937-9426-85582A9C77A5} = 208.67.220.220,208.67.222.222
TCP: {CC607281-709D-4EBB-837C-A2F5C7A82368} = 208.67.220.220,208.67.222.222
TCP: {F2179EA8-4045-4417-B078-64C60543AEC1} = 208.67.220.220,208.67.222.222
TCP: {FAB997C1-5BF9-4DA8-91D9-3288ED125C78} = 208.67.220.220,208.67.222.222
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://tjcamera.lifepics.com/net/Uploader/LPUploader45.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\0h5i3v8g.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 05:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-1060284298-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1528)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2009-05-17 5:35
ComboFix-quarantined-files.txt 2009-05-17 11:34
ComboFix2.txt 2009-05-16 02:48

Pre-Run: 140,242,788,352 bytes free
Post-Run: 140,263,739,392 bytes free

186 --- E O F --- 2009-05-14 20:38
**********************************
SmitFraudFix v2.416

Scan done at 5:53:02.85, Sun 05/17/2009
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
...

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{450CF5FE-1D0D-40D7-ABBB-A5ECD3B9646D}: DhcpNameServer=10.223.244.10 10.223.244.9
HKLM\SYSTEM\CCS\Services\Tcpip\..\{631D105D-647A-4567-8161-7C1CF0EAE9AF}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{78974892-FE1A-4AA6-ADD4-E4C92A5AD3AC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{92FF6AFA-2902-483B-B872-17AE3D23F8C2}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{92FF6AFA-2902-483B-B872-17AE3D23F8C2}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3F4C798-7444-4937-9426-85582A9C77A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3F4C798-7444-4937-9426-85582A9C77A5}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B20553E1-6879-4FE0-8079-82A989E4C13B}: DhcpNameServer=10.223.244.9 10.223.244.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CC607281-709D-4EBB-837C-A2F5C7A82368}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CC607281-709D-4EBB-837C-A2F5C7A82368}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D6818A31-9200-46F5-A0FB-F128CC42ACAC}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2179EA8-4045-4417-B078-64C60543AEC1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F2179EA8-4045-4417-B078-64C60543AEC1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FAB997C1-5BF9-4DA8-91D9-3288ED125C78}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FAB997C1-5BF9-4DA8-91D9-3288ED125C78}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{450CF5FE-1D0D-40D7-ABBB-A5ECD3B9646D}: DhcpNameServer=10.223.244.10 10.223.244.9
HKLM\SYSTEM\CS1\Services\Tcpip\..\{631D105D-647A-4567-8161-7C1CF0EAE9AF}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{78974892-FE1A-4AA6-ADD4-E4C92A5AD3AC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92FF6AFA-2902-483B-B872-17AE3D23F8C2}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{92FF6AFA-2902-483B-B872-17AE3D23F8C2}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3F4C798-7444-4937-9426-85582A9C77A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3F4C798-7444-4937-9426-85582A9C77A5}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B20553E1-6879-4FE0-8079-82A989E4C13B}: DhcpNameServer=10.223.244.9 10.223.244.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CC607281-709D-4EBB-837C-A2F5C7A82368}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CC607281-709D-4EBB-837C-A2F5C7A82368}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D6818A31-9200-46F5-A0FB-F128CC42ACAC}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2179EA8-4045-4417-B078-64C60543AEC1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F2179EA8-4045-4417-B078-64C60543AEC1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FAB997C1-5BF9-4DA8-91D9-3288ED125C78}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FAB997C1-5BF9-4DA8-91D9-3288ED125C78}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{450CF5FE-1D0D-40D7-ABBB-A5ECD3B9646D}: DhcpNameServer=10.223.244.10 10.223.244.9
HKLM\SYSTEM\CS3\Services\Tcpip\..\{631D105D-647A-4567-8161-7C1CF0EAE9AF}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{78974892-FE1A-4AA6-ADD4-E4C92A5AD3AC}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92FF6AFA-2902-483B-B872-17AE3D23F8C2}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{92FF6AFA-2902-483B-B872-17AE3D23F8C2}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A3F4C798-7444-4937-9426-85582A9C77A5}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A3F4C798-7444-4937-9426-85582A9C77A5}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B20553E1-6879-4FE0-8079-82A989E4C13B}: DhcpNameServer=10.223.244.9 10.223.244.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CC607281-709D-4EBB-837C-A2F5C7A82368}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CC607281-709D-4EBB-837C-A2F5C7A82368}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D6818A31-9200-46F5-A0FB-F128CC42ACAC}: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F2179EA8-4045-4417-B078-64C60543AEC1}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F2179EA8-4045-4417-B078-64C60543AEC1}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FAB997C1-5BF9-4DA8-91D9-3288ED125C78}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FAB997C1-5BF9-4DA8-91D9-3288ED125C78}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146 68.87.78.130


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK.2



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 17 May 2009 - 07:46 AM

You need to tell me if unwanted Popups are still occuring, and if so, whether it is in Internet Explorer or Firefox, or both, or in another browser?
Please provide ample details of the current situation.

Also, I noticed The Shield Firewall in one of your logs. What do you know about it? using it?

Limewire is also listed. Peer-to-peer filesharing is a security risk. Recommend you un-install it.

Logs show also you have AVG Free version 8.0
Unless I am mistaken, the more recent version is 8.5
Consider upgrading.
http://www.avg.com/product-avg-anti-virus-free-edition


This next is to insure all temporary files are removed. First, save any open work files you have, close your open programs.

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=
Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com/products/acrobat/readstep2.html

=
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Reply with copy of the DrWeb CureIt report
and tell me with details, How is your system now ?

Edited by Maurice Naggar, 17 May 2009 - 07:48 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 Flabby

Flabby
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 17 May 2009 - 08:14 PM

The pop-ups and browser redirects appear to be gone...thank you very much!
Regarding The Shield Firewall, it does appear to block some attempts to access my computer, I do have a recent Linksys router, do you think I need a software firewall as well? Any suggestions are appreciated.

Here are the log files you requested:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_12c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05172009_071908

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_12c.dat not found!

Registry entries deleted on Reboot...
**************************************
Follwing is from Dr Web:

pv.exe;C:\Documents and Settings\User\My Documents\My Downloads\smitRem;Program.PrcView.3741;Incurable.Moved.;
**************************************
I ran all the other apps that you recommended with success.
I appreciate all the time and assistance you've given to this.
I am very happy that people like you are available to provide this type of service, otherwise many of us would flounder.
Best Regards,
Flabby

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:55 PM

Posted 17 May 2009 - 08:34 PM

You did well. Thank you for the compliments. The DrWeb CureIt scan found nothing new.
You are good to go after the following.

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users