Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirection virus


  • Please log in to reply
9 replies to this topic

#1 Neon Elf

Neon Elf

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 13 May 2009 - 12:03 AM

I'm having troubles on my wife's computer. She got a "vundo" virus last week which I've managed to defeat. I've downloaded Ad-aware and AVG installed scanned, and left memory resident to prevent her from having a similar problem in future. However, now I've got the google search redirector problem. You click on a link after searching in google and you end up somewhere else.

I've cleaned out so much stuff i don't know where to begin. I've replaced infected files from the recovery console, I've deleted registry keys that were launching bad stuff. As far as I can tell I have no more infected files, nothing running that's a virus, nor any bad registry keys. So why am I still being redirected?

I cleared out all the cookies b/c I read that might be the issue, however that still didn't work.

So I give up and I'm asking for expert help, maybe you guys should produce a cure all for this, as it seems a pretty hot topic recently. Thanks in advance.

-Wayne





DDS (Ver_09-03-16.01) - NTFSx86
Run by Jenny at 22:52:28.95 on Tue 05/12/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.487 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jenny\My Documents\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.facebook.com/
uSearch Bar = hxxp://www.google.com/ie
mSearch Page =
uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {E92BEFBA-E79D-4F41-9733-68DA49C4492B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PDUiP6600DMon] c:\program files\canon\memory card utility\ip6600d\PDUiP6600DMon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jenny\applic~1\mozilla\firefox\profiles\f6szv0dg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/calendar/render?sourceid=tipcal
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_03050024.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-2 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-6 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-6 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-6 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [2004-9-17 212608]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [2004-9-17 12672]
S2 akdeeqdt;Realtek 10/100/1000 NIC Family all in one NDIS XP Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-25 33752]

=============== Created Last 30 ================

2009-05-12 22:04 <DIR> --d----- c:\program files\Trend Micro
2009-05-12 21:53 7,527,808 a------- c:\temp\Firefox setup 3.0.9.exe
2009-05-12 21:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-05-12 20:55 502,272 a------- C:\winlogon.exe
2009-05-12 20:55 502,272 a------- c:\windows\system32\WINLOGON.EXE
2009-05-07 09:52 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-07 08:32 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-07 08:32 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-06 22:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-06 22:28 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-06 22:28 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-06 22:28 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-06 22:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-06 22:27 <DIR> --d----- c:\docume~1\jenny\applic~1\AVGTOOLBAR
2009-05-06 22:27 <DIR> --d----- c:\program files\AVG
2009-05-06 22:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-06 18:23 <DIR> --d----- c:\program files\Viewpoint
2009-05-06 13:30 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-05 21:42 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-05-05 21:41 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-05 21:18 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-05 19:35 100 a------- C:\xcrashdump.dat
2009-05-03 17:26 46 a------- c:\windows\system32\p2hhr.bat
2009-05-03 00:14 161,792 a------- c:\windows\SWREG.exe
2009-05-03 00:14 98,816 a------- c:\windows\sed.exe
2009-05-02 22:57 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-02 21:57 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-02 21:50 <DIR> --d----- c:\program files\Lavasoft
2009-05-02 20:42 <DIR> --d----- c:\windows\pss
2009-05-02 15:20 <DIR> --d----- c:\docume~1\jenny\applic~1\pidle

==================== Find3M ====================

2009-03-21 08:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 08:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 08:00 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 22:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 04:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 04:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-19 23:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-06 15:12 92,064 a------- c:\documents and settings\jenny\mqdmmdm.sys
2009-02-06 15:12 79,328 a------- c:\documents and settings\jenny\mqdmserd.sys
2009-02-06 15:12 66,656 a------- c:\documents and settings\jenny\mqdmbus.sys
2009-02-06 15:12 9,232 a------- c:\documents and settings\jenny\mqdmmdfl.sys
2009-02-06 15:12 6,208 a------- c:\documents and settings\jenny\mqdmcmnt.sys
2009-02-06 15:12 5,936 a------- c:\documents and settings\jenny\mqdmwhnt.sys
2009-02-06 15:12 4,048 a------- c:\documents and settings\jenny\mqdmcr.sys
2009-02-06 15:12 25,600 a------- c:\documents and settings\jenny\usbsermptxp.sys
2009-02-06 15:12 22,768 a------- c:\documents and settings\jenny\usbsermpt.sys
2006-11-17 12:42 67,259,232 a------- c:\program files\PM701Tryout.exe

============= FINISH: 22:53:47.17 ===============
<Edited to place Attach.txt IN-Line ~ Maurice>


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/17/2006 10:51:05 PM
System Uptime: 5/12/2009 10:16:12 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 309B
Processor: AMD Turion™ 64 Mobile Technology ML-34 | U23 | 1794/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 61 GiB total, 23.323 GiB free.
D: is FIXED (FAT32) - 13 GiB total, 0.958 GiB free.
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe PageMaker 7.0
Adobe Photoshop 6.0
Adobe Reader 7.0
Adobe Shockwave Player
AIM 6
Amazon MP3 Downloader 1.0.3
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI Display Driver
AudioConverter
Avanquest update
AVG Free 8.5
BufferChm
Canon iP6600D
Canon iP6600D Memory Card Utility
Canon Utilities Easy-PhotoPrint
Coloriage
Conexant AC-Link Audio
Coupon Printer for Windows
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CuteFTP 5.0 XP
Destinations
DeviceManagementQFolder
Download Updater (AOL LLC)
DVD Ripper Platinum 4
Easy-WebPrint
FullDPAppQFolder
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP QuickPlay 2.0
HP Rhapsody
HP User Guides--System Recovery
HP User Guides 0026
HP Wireless Assistant 2.00 C1
HpSdpAppCoreApp
ImageMixer for HDD Camcorder
InstantShareDevices
iTunes
LightScribe 1.4.56.1
Logitech QuickCam Software
Logitech® Camera Driver
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Suite 2006
Microsoft Digital Image Suite 2006 Editor
Microsoft Digital Image Suite 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007 Trial
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Publisher 97
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIRC
Motorola Driver Installation 3.4.0
Motorola Phone Tools
Mozilla Firefox (3.0.9)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
muvee autoProducer 4.5
MyPublisher BookMaker
Nero 7
Nero Recode CE
neroxml
Netflix Movie Viewer
Nikon View 6
Office 2003 Trial Assistant
OptionalContentQFolder
Paint.NET v3.30
PhotoGallery
PIXresizer 2.0.3
Print Workshop 2004 LE
PuTTY version 0.60
Quick Launch Buttons 5.20 G1
QuickTime
RandMap
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SkinsHP1
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
SonicAC3Encoder
SonicMPEGEncoder
Sony ACID XMC 6.0
Sony DVD Architect Studio 3.0
Sony Vegas Movie Studio Platinum 6.0
SpiceMASTER 2.5 TFX for Vegas
Synaptics Pointing Device Driver
TBS WMP Plug-in
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Video Converter 3
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.2
WebFldrs XP
WebIQ Technology Engine
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890546
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
WinZip
Wireless Home Network Setup
Wondershare Photo Collage Studio (3.0.0)
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

5/7/2009 8:14:30 AM, error: ipnathlp [32003] - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
5/7/2009 11:55:23 PM, error: Service Control Manager [7023] - The Realtek 10/100/1000 NIC Family all in one NDIS XP Support service terminated with the following error: The specified module could not be found.
5/7/2009 11:41:47 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/7/2009 11:12:50 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
5/6/2009 11:51:34 AM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\drivers\usbser.sys. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.1330, the version of the system file is 5.1.2600.2180.
5/12/2009 9:35:47 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
5/12/2009 7:43:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/12/2009 7:22:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/12/2009 7:17:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/12/2009 7:16:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/12/2009 7:15:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/12/2009 7:15:13 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 AvgLdx86 AvgMfx86 AvgTdiX eabfiltr Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
5/12/2009 7:15:13 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 7:15:13 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 7:15:13 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 7:15:13 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 7:15:13 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/11/2009 3:57:04 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HOMELANDX that believes that it is the master browser for the domain on transport NetBT_Tcpip_{AE5201F7-E997-4443. The master browser is stopping or an election is being forced.

==== End Of File ===========================

Edited by Maurice Naggar, 24 May 2009 - 11:28 AM.


BC AdBot (Login to Remove)

 


#2 Neon Elf

Neon Elf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 22 May 2009 - 10:37 PM

bump. still having problems have cleaned out multiple items, and it keeps coming back.

#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 24 May 2009 - 11:24 AM

Hello Neon Elf,

If you still have the same issues, and if you are not being helped elsewhere, then, do the following.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

=

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
=
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.

=
Close other programs that you have started.

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

=

Next, Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

=

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
KILLALL::

DDS::
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,

File::
c:\windows\system32\sdra64.exe
c:\windows\9g2234wesdf3dfgjf23
c:\windows\t55ft2692f44.dat

Folder::
c:\windows\system32\lowsec
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:
Posted Image
  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

=

Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


=

Once Complete, reboot! :!:

Run Hijackthis
Start Hijackthis. Do a Scan and Save log.

After following the above, post back with 1. Goored.txt
2. Contents of C:\Combofix.txt;
3. the MBAM log
4. New Hijackthis log;
5. Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4 Neon Elf

Neon Elf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 24 May 2009 - 06:02 PM

1. Goored.txt
GooredFix v1.92 by jpshortstuff
Log created at 16:48 on 24/05/2009 running Option #2 (Jenny)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{DE56F0A1-F1B4-4346-97DC-7E2A673D3416}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{97A885F0-8767-44C7-BE46-B7B153AAC962}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{82956CFE-770F-40DA-B503-AAF69ED69F8F}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{76D839B3-E1DD-4D6A-B6D8-ED4597D71796}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{486E4A4A-0D01-41FF-BF79-56AF1ED5B9F5}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

2. Contents of C:\Combofix.txt;
ComboFix 09-05-24.03 - Jenny 05/24/2009 16:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.577 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\9g2234wesdf3dfgjf23
c:\windows\system32\sdra64.exe
c:\windows\t55ft2692f44.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\temp\Perflib_Perfdata__755.dat
C:\recycler
c:\recycler\S-1-5-21-1155627854-614541918-4075671649-1006\desktop.ini
c:\recycler\S-1-5-21-1155627854-614541918-4075671649-1006\INFO2
c:\recycler\S-1-5-21-1155627854-614541918-4075671649-500\desktop.ini
c:\recycler\S-1-5-21-1155627854-614541918-4075671649-500\INFO2
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthttjuvpfqbuaowyjaeylkxyytlepdocsq.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\New Text Document.txt
c:\windows\system32\ovfsthecmlgxeewlioxjnuuqruimhbxicnibdw.dat
c:\windows\system32\ovfsthesawpflcnnxtywyexkoujtsqwaryhigv.dll
c:\windows\system32\ovfsthewqukngxxulxbtkogiohtpbdulsespsl.dll
c:\windows\system32\ovfsthpivdorsuvqmqkccndiincrodobffmskp.dat
c:\windows\system32\ovfsthujwgkrjelwyelovelaapipvhjumfrqxc.dll
c:\windows\system32\p2hhr.bat
c:\windows\system32\sdra64.exe
c:\windows\system32\sdra641.exe
c:\windows\system32\service-466.exe
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\t55ft2692f44.dat
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthvsaklemcjsarpvuobrlnppihesjmgose
-------\Legacy_ASHEVTSVC
-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 21:35 . 2009-05-24 21:35 2829 ----a-w c:\windows\system32\sdra64.PIF
2009-05-24 21:32 . 2009-05-24 21:32 -------- d--h--w c:\windows\PIF
2009-05-24 17:44 . 2009-05-24 17:44 -------- d-----w c:\windows\system32\New Folder
2009-05-24 17:15 . 2009-05-24 17:16 -------- d-sh--w c:\documents and settings\Jenny\Application Data\lowsec
2009-05-24 17:09 . 2009-05-24 17:09 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2009-05-24 17:08 . 2009-05-24 17:08 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-05-24 15:09 . 2009-05-24 22:34 202792 ----a-w c:\documents and settings\Jenny\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 13:22 . 2009-05-23 13:22 128 ----a-w c:\documents and settings\Jenny\Local Settings\Application Data\fusioncache.dat
2009-05-23 05:26 . 2009-05-23 07:55 -------- d-----w C:\!KillBox
2009-05-23 04:43 . 2009-05-23 04:43 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Logitech-LS
2009-05-23 04:13 . 2004-08-04 06:56 502272 ----a-w c:\windows\system32\WINLOGON.EXE
2009-05-21 19:45 . 2009-05-21 19:45 136 ----a-w c:\windows\system32\vp_setup.exe.bat
2009-05-19 14:07 . 2009-05-07 04:27 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-19 14:07 . 2009-05-07 04:27 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-19 14:07 . 2009-05-07 04:27 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-19 14:07 . 2009-05-07 04:27 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-19 14:07 . 2009-05-07 04:27 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-19 14:07 . 2009-05-07 04:27 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-19 14:07 . 2009-05-07 04:27 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-19 14:07 . 2009-05-07 04:27 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-19 14:07 . 2009-05-07 04:27 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-19 14:06 . 2009-05-07 04:27 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-19 14:06 . 2009-05-07 04:27 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-19 03:05 . 2009-05-19 03:05 57344 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-57e5ba4d-n\Decora-SSE.dll
2009-05-19 03:05 . 2009-05-19 03:05 3584 ----a-r c:\documents and settings\Jenny\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-05-19 03:05 . 2009-05-19 03:05 -------- d-----w c:\program files\Windows Installer Clean Up
2009-05-19 03:05 . 2009-05-19 03:05 24064 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3f19a40b-n\Decora-D3D.dll
2009-05-19 03:05 . 2009-05-19 03:05 315392 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-101b9446-n\jogl.dll
2009-05-19 03:05 . 2009-05-19 03:05 20480 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-101b9446-n\jogl_awt.dll
2009-05-19 03:05 . 2009-05-19 03:05 114688 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-101b9446-n\jogl_cg.dll
2009-05-19 03:05 . 2009-05-19 03:05 20480 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-344e453a-n\gluegen-rt.dll
2009-05-19 03:05 . 2009-05-19 03:05 499712 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-367b7bc9-n\msvcp71.dll
2009-05-19 03:05 . 2009-05-19 03:05 499712 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-367b7bc9-n\jmc.dll
2009-05-19 03:05 . 2009-05-19 03:05 348160 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-367b7bc9-n\msvcr71.dll
2009-05-19 03:05 . 2009-05-19 03:05 -------- d-----w c:\program files\MSECACHE
2009-05-19 03:04 . 2009-05-19 03:04 -------- d-----w c:\program files\Java6
2009-05-19 03:02 . 2009-05-19 03:02 152576 ----a-w c:\documents and settings\Jenny\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-17 14:47 . 2009-05-17 14:48 -------- d-----w c:\documents and settings\All Users\Application Data\QHIXTZODYG
2009-05-13 04:04 . 2009-05-13 04:04 -------- d-----w c:\program files\Trend Micro
2009-05-13 02:01 . 2009-05-13 02:01 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-13 01:33 . 2009-05-13 01:36 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-05-07 04:37 . 2009-05-24 17:33 -------- d--h--w C:\$AVG8.VAULT$
2009-05-07 04:28 . 2009-05-07 04:28 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-07 04:28 . 2009-05-07 04:28 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 04:28 . 2009-05-07 04:28 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-07 04:27 . 2009-05-07 04:27 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-07 04:27 . 2009-05-24 15:11 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-07 04:27 . 2009-05-07 04:27 -------- d-----w c:\documents and settings\Jenny\Application Data\AVGTOOLBAR
2009-05-07 04:27 . 2009-05-07 04:27 -------- d-----w c:\program files\AVG
2009-05-07 04:27 . 2009-05-24 17:33 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-06 19:30 . 2009-05-11 13:48 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-06 17:50 . 2009-05-06 17:50 -------- d-----w c:\documents and settings\Jenny\Application Data\InstallShield
2009-05-06 03:44 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-06 03:44 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-06 03:44 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-06 03:44 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-05-06 03:44 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-05-06 03:44 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-06 03:44 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-06 03:44 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-06 03:44 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-06 03:42 . 2008-05-01 14:30 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-06 03:41 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-06 03:18 . 2009-05-06 03:18 -------- d--h--w c:\windows\system32\GroupPolicy
2009-05-03 04:57 . 2009-05-03 03:57 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-05-03 03:56 . 2009-05-03 03:56 539512 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-03 03:56 . 2009-05-03 03:56 552808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-03 03:56 . 2009-05-03 03:56 2324808 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-03 03:56 . 2009-05-03 03:56 626000 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-03 03:56 . 2009-05-03 03:56 516440 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-03 03:56 . 2009-05-03 03:56 953168 ----a-w c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-03 03:50 . 2009-05-03 03:50 -------- d-----w c:\program files\Lavasoft
2009-05-03 03:50 . 2009-05-03 03:50 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 21:14 . 2006-11-17 00:49 -------- d-----w c:\program files\Microsoft Publisher
2009-05-24 21:11 . 2006-09-21 01:19 -------- d-----w c:\program files\Canon
2009-05-24 21:10 . 2008-04-24 19:48 -------- d-----w c:\program files\Coupons
2009-05-19 03:04 . 2009-01-14 15:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-19 03:03 . 2006-04-14 03:51 -------- d-----w c:\program files\Java
2009-05-19 02:54 . 2006-04-14 03:48 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-13 01:45 . 2009-02-06 21:12 -------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-05-08 00:12 . 2004-08-10 15:00 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-05-06 17:51 . 2009-02-06 21:12 -------- d-----w c:\program files\Motorola Phone Tools
2009-05-05 22:10 . 2006-09-19 23:14 -------- d-----w c:\program files\Microsoft Digital Image 2006
2009-05-03 10:10 . 2006-04-14 02:43 -------- d-----w c:\program files\CONEXANT
2009-05-03 06:49 . 2006-09-22 00:59 -------- d-----w c:\program files\Yahoo!
2009-05-03 06:46 . 2006-04-14 04:41 -------- d-----w c:\program files\Quicken
2009-05-03 06:44 . 2007-02-24 16:56 -------- d--h--w c:\documents and settings\Jenny\Application Data\Move Networks
2009-05-03 06:43 . 2006-04-14 04:39 -------- d-----w c:\program files\Google
2009-05-03 06:42 . 2006-04-14 04:08 -------- d-----w c:\program files\GemMaster
2009-05-03 06:38 . 2007-08-19 01:57 -------- d-----w c:\program files\Oberon Media
2009-04-27 22:52 . 2006-09-17 23:35 -------- d-----w c:\program files\AIM
2009-04-27 22:52 . 2006-09-17 23:36 -------- d-----w c:\documents and settings\Jenny\Application Data\Aim
2009-04-18 21:55 . 2009-04-18 21:55 966808 ----a-w c:\documents and settings\Jenny\Application Data\Move Networks\MoveMediaPlayer_win_mozilla_071303000004.exe
2009-04-03 15:48 . 2006-12-20 15:46 -------- d-----w c:\program files\AIM6
2009-04-03 15:47 . 2009-04-03 15:47 -------- d-----w c:\program files\Common Files\Software Update Utility
2009-04-03 15:47 . 2009-04-03 15:47 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-04-03 15:46 . 2006-10-26 16:12 -------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-12 17:05 . 2006-04-14 04:53 203184 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:00 . 2004-08-10 15:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 15:00 826368 ----a-w c:\windows\system32\wininet.dll
2007-01-19 13:52 . 2007-02-24 19:17 118784 ----a-w c:\program files\mozilla firefox\components\nmgkff15.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
[-] 2005-03-25 21:00 26112 29A1877F2D0EACFF20B6507A3C00F31B c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-03 516440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-07 1947928]
"PDUiP6600DMon"="c:\program files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe" [2005-05-25 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
ImageMixer for HDD Camcorder.lnk - c:\program files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2006-10-5 1871872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2007-3-30 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"PreXPSP2ShellProtocolBehavior"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-07 04:28 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1161879125\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1161879125\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/2/2009 9:57 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/6/2009 10:28 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/6/2009 10:28 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/6/2009 10:27 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 953168]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [9/17/2004 11:38 AM 212608]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 3:06 AM 231424]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [9/17/2004 11:38 AM 12672]
S2 akdeeqdt;Realtek 10/100/1000 NIC Family all in one NDIS XP Support;c:\windows\System32\svchost.exe -k netsvcs [8/10/2004 9:00 AM 14336]
S4 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [1/25/2009 9:06 PM 33752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
akdeeqdt
.
Contents of the 'Scheduled Tasks' folder

2009-05-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:56]

2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:15]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\kbx14w6z.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\Java6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 16:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????4?1?9?1??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(536)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\progra~1\HPQ\shared\HPQTOA~1.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-05-24 16:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 22:39

Pre-Run: 29,240,180,736 bytes free
Post-Run: 29,227,634,688 bytes free

316 --- E O F --- 2009-05-19 03:08

3. the MBAM log
Malwarebytes' Anti-Malware 1.36
Database version: 2176
Windows 5.1.2600 Service Pack 2

5/24/2009 4:50:11 PM
mbam-log-2009-05-24 (16-50-11).txt

Scan type: Quick Scan
Objects scanned: 91223
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prnet.tmp-up.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vp_setup.exe.bat (Malware.Trace) -> Quarantined and deleted successfully.

4. New Hijackthis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:32 PM, on 5/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PDUiP6600DMon] C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: ImageMixer for HDD Camcorder.lnk = C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp..._downloader.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6662 bytes

#5 Neon Elf

Neon Elf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 24 May 2009 - 06:11 PM

To preface this, I was working on cleaning the machine quite a bit myself. I had narrowed it down to the userinit registry key and a file called srda64.exe. That was what I was working on when I started following your directions. The hallmark of this infection was that it would come (back perhaps on reboot?) and my nightly virus scans would come up with several infections. I see that this procedure has fixed the UserInit registry key. The gooredfix has fixed the redirect issue. However, I'm uncertain anything is still infected until perhaps another day goes by and allows for a reboot or two.

Thank you for your directions, and your time. I'll update in one or two days if you don't see anything specific in my logs.

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 24 May 2009 - 10:19 PM

This system had a rootkit infection and an autorun infection. There's one more file we need to remove and I won't to check on a few other things (in the script below).

First, Ad-Watch needs to be off:
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it.
Automatic: Suspicious activity will be blocked automatically.
Uncheck both of those boxes.


Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\windows\system32\sdra64.PIF
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe
    
    Drivers to delete:
    ovfsthvsaklemcjsarpvuobrlnppihesjmgose
    ovfsthv
    gxvxcserv
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

>
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Reply with copy of C:\Avenger.txt
and the DrWeb Cureit report from above.

Barring unforseen further items, I expect the next round we can proceed towards removing tools and closing this case.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 Neon Elf

Neon Elf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 25 May 2009 - 02:51 PM

prior to doing these steps, but after taking the original steps, I had AVG pop up with this warning:
Trojan horse Agent2.EJA C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP1\A0000001.sys Moved to Virus Vault "5/24/2009, 8:06:51 PM" file C:\WINDOWS\system32\svchost.exe

So something was still active after the initial sweep. Avenger didn't find most of the files (as you warned) but did clear the srda64.PIF file. The DrWeb CureIt directions you gave didn't match exactly the program I downloaded (perhaps a new version?) but I did the best to replicate all the steps you said. It detected bunches of infected files under AOL, I'm tempted to just uninstall AOL and reinstall a fresh version. It also detected and moved VNC viewer which I have installed on here for work so it wasn't part of the infection. No big deal I probably don't need it anymore anyway. Finally The only thing I'm noticing right now is the task bar is slow to load at log in leaving large blue boxes at the bottom of the screen, which may just be because of the Ad-aware and AVG programs trying to start up at that time, but it is currently the only thing that is noticeably wrong.


Here are the logs you requested from the next instructions:
C:\Avenger.txt:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\sdra64.PIF" deleted successfully.

< Edited to remove items / files not found. Snipped for readability. ~ Maurice>

Completed script processing.

*******************

Finished! Terminate.



The DrWeb Cureit report:
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Documents and Settings\All Users\Application Data\AOL Downloads\aolcom_setupSTUS\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\aolcom_setupSTUS\comps\coach;Archive contains infected objects;Moved.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90\comps\coach;Archive contains infected objects;Moved.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;C:\Program Files\Online Services\Aol\United States\AOL90E\comps\coach;Archive contains infected objects;Moved.;
vncviewer.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin.51;Incurable.Moved.;
ovfsthujwgkrjelwyelovelaapipvhjumfrqxc.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Tdss.115;Incurable.Moved.;
sdra64.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.PWS.Panda.114;Deleted.;
protect.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile;Trojan.Alupko.origin;Incurable.Moved.;
ovfsthttjuvpfqbuaowyjaeylkxyytlepdocsq.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;BackDoor.Tdss.115;Deleted.;
SP31524.exe/musicnow1.exe\data008;C:\SWSETUP\AOLMN\SP31524.exe/musicnow1.exe;Trojan.Click.2093;;
\musicnow1.exe;C:\SWSETUP\AOLMN;Archive contains infected objects;;
SP31524.exe;C:\SWSETUP\AOLMN;Archive contains infected objects;Moved.;
A0000025.dll;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP1;Trojan.Alupko.origin;Incurable.Moved.;
A0000029.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP1;Trojan.PWS.Panda.114;Deleted.;
A0000132.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2\A0000132.exe;Adware.Gdown;;
A0000132.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2;Archive contains infected objects;Moved.;
A0000133.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2;Trojan.Click.2093;Deleted.;
A0000134.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2\A0000134.exe;Adware.Gdown;;
A0000134.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2;Archive contains infected objects;Moved.;
A0000135.exe\core.cab\GTDOWNAO_106.ocx;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2\A0000135.exe;Adware.Gdown;;
A0000135.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2;Archive contains infected objects;Moved.;
A0000136.exe/musicnow1.exe\data008;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2\A0000136.exe/musicnow1.exe;Trojan.Click.2093;;
\musicnow1.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2;Archive contains infected objects;;
A0000136.exe;C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP2;Archive contains infected objects;Moved.;

Edited by Maurice Naggar, 25 May 2009 - 04:02 PM.


#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 25 May 2009 - 04:17 PM

The Avenger run did not show any remaining rootkits, which is a very good result.

After we are all done (later) you can do as needed if you use AOL, and for VNC viewer.
Over the next day or so, given a bit of pc idle time, you should notice a better response in load time.

You should know that the "System Volume Information\_restore" are system restore points for Windows used by the System Restore service. Those items are out of the way and not active. We do not plan on going backwards or using them. They will be flushed later. For now, they do not count as active malware issue.

I'd like for you to run a scan using Sysclean by TrendMicro:
Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Next, generate a new DDS report (as you did at the very start) for my review.

Download Security Check by screen317 and save it to your Desktop: here or here

  • Run Security Check
  • Follow the onscreen instructions inside of the command window.
  • A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
Posted Image If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Reply with copy of the Sysclean log
the new DDS.txt
the checkup.txt from above
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 Neon Elf

Neon Elf
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 25 May 2009 - 09:34 PM

Thank you for letting me know about the restore points, I've had several more hits on AVG but they were all of the type you described. I wasn't sure if you wanted the attach.txt like the first time or not, so I included it just in case. Thank you again for your time and effort to help me with this virus.

Sysclean log:

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-25, 16:24:22, Auto-clean mode specified.
2009-05-25, 16:24:23, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-25, 16:24:23, Running scanner "C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\TSC.BIN"...
2009-05-25, 16:24:53, Scanner "C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\TSC.BIN" has finished running.
2009-05-25, 16:24:53, TSC Log:

’žD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 2 )




S t a r t t i m e : M o n M a y 2 5 2 0 0 9 1 6 : 2 4 : 2 8





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ J e n n y \ D e s k t o p \ v i r u s f i g h t e r s \ s y s c l e a n \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D o c u m e n t s a n d S e t t i n g s \ J e n n y \ D e s k t o p \ v i r u s f i g h t e r s \ s y s c l e a n \ t s c . p t n " ( v e r s i o n 1 0 3 6 ) [ s u c c e s s ]





C o m p l e t e t i m e : M o n M a y 2 5 2 0 0 9 1 6 : 2 4 : 5 3


E x e c u t e p a t t e r n c o u n t ( 3 0 5 2 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-05-25, 16:24:53, Running scanner "C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN"...
2009-05-25, 18:05:04, Scanner "C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN" has finished running.
2009-05-25, 18:05:04, VSCANTM Log:

2009-05-25, 18:05:04, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/25/2009 16:24:54
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 147 (402626/402626 Patterns) (2009/05/24) (614700)

Command Line: C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\lpt$vpn.147

C:\Documents and Settings\Jenny\DoctorWeb\Quarantine\protect.dll.vir [TSPY_AGENT.ASZD]
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthesawpflcnnxtywyexkoujtsqwaryhigv.dll.vir [TROJ_TDSS.VK]
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthewqukngxxulxbtkogiohtpbdulsespsl.dll.vir [TROJ_TDSS.SU]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WPIF0P6F\onlinescanxpp_com[1].htm [HTML_FAKEAL.BV]
92399 files have been read.
92399 files have been checked.
92365 files have been scanned.
243488 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/25/2009 18:05:04 1 hour 40 minutes 9 seconds (6009.24 seconds) has elapsed.(65.036 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-25, 18:05:04, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/25/2009 16:24:54
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 147 (402626/402626 Patterns) (2009/05/24) (614700)

Command Line: C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\lpt$vpn.147

92399 files have been read.
92399 files have been checked.
92365 files have been scanned.
243488 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/25/2009 18:05:04 1 hour 40 minutes 9 seconds (6009.24 seconds) has elapsed.(65.036 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-25, 18:05:04, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/25/2009 16:24:54
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 147 (402626/402626 Patterns) (2009/05/24) (614700)

Command Line: C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\lpt$vpn.147

92399 files have been read.
92399 files have been checked.
92365 files have been scanned.
243488 files have been scanned. (including files in archived)
4 files containing viruses.
Found 4 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/25/2009 18:05:04 1 hour 40 minutes 9 seconds (6009.24 seconds) has elapsed.(65.036 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-25, 18:05:04, Running scanner "C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN"...
2009-05-25, 18:06:00, Scanner "C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN" has finished running.
2009-05-25, 18:06:00, VSCANTM Log:

2009-05-25, 18:06:00, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/25/2009 18:05:05
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 147 (402626/402626 Patterns) (2009/05/24) (614700)

Command Line: C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\lpt$vpn.147

1794 files have been read.
1794 files have been checked.
1793 files have been scanned.
1907 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/25/2009 18:06:00 54 seconds (54.29 seconds) has elapsed.(30.263 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-25, 18:06:00, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/25/2009 18:05:05
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 147 (402626/402626 Patterns) (2009/05/24) (614700)

Command Line: C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\lpt$vpn.147

1794 files have been read.
1794 files have been checked.
1793 files have been scanned.
1907 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/25/2009 18:06:00 54 seconds (54.29 seconds) has elapsed.(30.263 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-25, 18:06:00, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/25/2009 18:05:05
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 147 (402626/402626 Patterns) (2009/05/24) (614700)

Command Line: C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR D:\*.* /P=C:\Documents and Settings\Jenny\Desktop\virusfighters\sysclean\lpt$vpn.147

1794 files have been read.
1794 files have been checked.
1793 files have been scanned.
1907 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/25/2009 18:06:00 54 seconds (54.29 seconds) has elapsed.(30.263 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-25, 18:06:00, Running SSAPI scanner ""...
2009-05-25, 19:00:48, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.73
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/25/2009 18:06:04

Detected: 0 items.

Spyware Scan Ended: 05/25/2009 19:00:48
Scan Complete. Time=3286.818848.

the checkup.txt
Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AVGFree8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
Jenny Desktop virusfighters SecurityCheck.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 19 seconds.
`````````End of Log```````````


the new DDS.txt

DDS (Ver_09-05-14.01) - NTFSx86
Run by Jenny at 20:28:39.63 on Mon 05/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.447 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Canon\Memory Card Utility\iP6600D\PDUiP6600DMon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jenny\Desktop\virusfighters\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = https://register.hp.com/servlet/WebReg.serv...&prodOS=012
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {E92BEFBA-E79D-4F41-9733-68DA49C4492B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PDUiP6600DMon] c:\program files\canon\memory card utility\ip6600d\PDUiP6600DMon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRunOnce: [TSC] "c:\documents and settings\jenny\desktop\virusfighters\sysclean\tsc_temp\tsc.exe" /HD
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer for hdd camcorder\IMx3Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
uPolicies-explorer: PreXPSP2ShellProtocolBehavior = 0 (0x0)
mPolicies-explorer: HonorAutoRunSetting = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jenny\applic~1\mozilla\firefox\profiles\f6szv0dg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/calendar/render?sourceid=tipcal
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\program files\java6\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_03050024.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-2 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-6 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-6 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-6 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [2004-9-17 212608]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [2004-9-17 12672]
S2 akdeeqdt;Realtek 10/100/1000 NIC Family all in one NDIS XP Support;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-25 33752]

=============== Created Last 30 ================

2009-05-25 01:44 <DIR> --d----- c:\documents and settings\jenny\DoctorWeb
2009-05-25 01:31 <DIR> a-dshr-- C:\autorun.inf
2009-05-25 01:28 266,360 a------- c:\windows\system32\TweakUI.exe
2009-05-25 01:28 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-05-24 16:43 <DIR> --d----- c:\docume~1\jenny\applic~1\Malwarebytes
2009-05-24 16:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-24 16:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-24 16:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-24 16:43 <DIR> --d----- c:\program files\Malwarebytes-Anti-Malware
2009-05-24 16:13 154,624 a------- c:\windows\PEV.exe
2009-05-24 15:32 <DIR> --d-h--- c:\windows\PIF
2009-05-24 11:44 <DIR> --d----- c:\windows\system32\New Folder
2009-05-24 11:15 <DIR> --dsh--- c:\docume~1\jenny\applic~1\lowsec
2009-05-22 23:26 <DIR> --d----- C:\!KillBox
2009-05-22 22:13 502,272 a------- c:\windows\system32\WINLOGON.EXE
2009-05-18 21:05 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-05-18 21:05 <DIR> --d----- c:\program files\MSECACHE
2009-05-18 21:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-18 21:04 <DIR> --d----- c:\program files\Java6
2009-05-17 08:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\QHIXTZODYG
2009-05-12 22:04 <DIR> --d----- c:\program files\Trend Micro
2009-05-06 22:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-06 22:28 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-06 22:28 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-06 22:28 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-06 22:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-06 22:27 <DIR> --d----- c:\docume~1\jenny\applic~1\AVGTOOLBAR
2009-05-06 22:27 <DIR> --d----- c:\program files\AVG
2009-05-06 22:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-06 13:30 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-05 21:42 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-05-05 21:41 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-05 21:18 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-05-03 00:14 161,792 a------- c:\windows\SWREG.exe
2009-05-03 00:14 98,816 a------- c:\windows\sed.exe
2009-05-02 22:57 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-02 21:57 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-02 21:50 <DIR> --d----- c:\program files\Lavasoft
2009-05-02 20:42 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-05-18 21:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-21 08:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 08:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 08:00 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 22:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe

============= FINISH: 20:29:04.58 ===============

Attached Files



#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 PM

Posted 26 May 2009 - 05:20 PM

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combofix /u and then click OK.
  • Download OTListIt2 by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users